b'    DEPARTMENT OF HOMELAND SECURITY\n\n      Of\xef\xac\x81ce of Inspector General\n\n                     Review of the\n       Transportation Security Administration\xe2\x80\x99s\n         Role in the Use and Dissemination of\n                Airline Passenger Data\n                       (Redacted)\n\n\n\n\nThe Department of Homeland Security, Of\xef\xac\x81ce of Inspector General, has redacted this\nreport for public release under the Freedom of Information Act, 5 U.S.C. \xc2\xa7 552(b)(4).\n\n\n\n\n  Of\xef\xac\x81ce of Inspections, Evaluations, & Special Reviews\n\n\nOIG-05-12                                              March 2005\n\x0c\x0c                                                                    Of\xef\xac\x81ce of Inspector General\n\n                                                                    U.S. Department of Homeland Security\n                                                                    Washington, DC 20528\n\n\n\n\n                                             Preface\n\nThe Department of Homeland Security (DHS) Of\xef\xac\x81ce of Inspector General (OIG) was established\nby the Homeland Security Act of 2002 (Public Law 107-296) by amendment to the Inspector\nGeneral Act of 1978. This is one of a series of audit, inspection, and special reports prepared by\nthe OIG as part of its DHS oversight responsibilities to promote economy, effectiveness, and\nef\xef\xac\x81ciency within the department.\n\nThis report assesses TSA\xe2\x80\x99s role in the use and dissemination of airline passenger data, assesses\nTSA\xe2\x80\x99s related disclosures, and evaluates the agency\xe2\x80\x99s operating environment with respect to\nprivacy issues. It is based on interviews and exchanges with employees and of\xef\xac\x81cials of the\nTransportation Security Administration, other federal agencies, and contractors, as well as a\nreview of applicable documents.\n\nThe recommendations herein have been developed to the best knowledge available to the OIG,\nand have been discussed in draft with those responsible for implementation. It is our hope that\nthis report will result in more effective, ef\xef\xac\x81cient, and economical operations. We express our\nappreciation to all of those who contributed to the preparation of this report.\n\n\n\n\n                                             Richard L. Skinner\n                                             Acting Inspector General\n\x0c\x0c                                                                                                                       Contents\n\n\nIntroduction..................................................................................................................................... 5\n\nResults in Brief ............................................................................................................................... 6\n\nBackground ..................................................................................................................................... 9\n\n                CAPPS .......................................................................................................................... 9\n\n                CAPPS II..................................................................................................................... 11\n\n\n                Statutory Requirements............................................................................................... 13\n\n                Public Disclosure of Information................................................................................ 14\n\nPurpose, Scope, and Methodology................................................................................................ 16\n\nTSA\xe2\x80\x99s Role in Airline Passenger Data Transfers........................................................................... 17\n\n                Data Transfers to Support Other Federal Agencies..................................................... 17\n                       United States Secret Service ........................................................................... 18\n                       Army Subcontractor Torch Concepts .............................................................. 20\n\n                Data Transfers Associated with CAPPS II Development ............................................25\n                       Risk Assessment Engine Prototype Vendors................................................... 27\n                       Airline Automation, Inc. ................................................................................. 30\n\n                       Airline Data Interface Testing ......................................................................... 35\n                       Sabre Holdings................................................................................................ 37\n\n                Data Transfers in CAPPS Improvement Effort ........................................................... 38\n                       CAPPS Improvement...................................................................................... 39\n\n                Conclusions................................................................................................................. 40\n\n\nInformation Disclosure Regarding Airline Passenger Data Transfers ...........................................42\n\n                FOIA Requests ............................................................................................................ 42\n\n\n\n\n                                 TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data                                             Page 1\n\x0cContents\n\n\n                   U.S. Senate Testimony ................................................................................................ 44\n\n\n                   Government Accountability Of\xef\xac\x81ce and Media Reports.............................................. 45\n\n\n                   Disclosure of Information to the DHS Privacy Of\xef\xac\x81ce .................................................46\n\n\n                   Conclusions ................................................................................................................. 48\n\n\n   TSA Privacy Focus ........................................................................................................................49\n\n\n\nAppendices\n\n   Appendix A:           Management Comments .....\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6. 52\n\n   Appendix B:           OIG Evaluation of Management Comments ..\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6. 59\n\n   Appendix C:           Recommendations ..\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6. 64\n\n   Appendix D:           Airline Passenger Data Transfers Covered in this Report ................................... 66\n\n   Appendix E:           Con\xef\xac\x81dentiality and Disposition of Airline Passenger Data Transferred ............. 67\n\n   Appendix F:           Airline Passenger Data Transfer Detail ............................................................... 68\n\n   Appendix G:           Privacy Act of 1974 and E-Government Act of 2002\xe2\x80\xa6 ....\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6. 70\n\n   Appendix H:           JetBlue Passenger Data Provided to TSA............................................................ 73\n\n   Appendix I:           DHS Privacy Of\xef\xac\x81ce Requests of TSA................................................................. 74\n\n   Appendix J:           Major Contributors\xe2\x80\xa6 .....\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6. 76\n\n   Appendix K:           Report Distribution\xe2\x80\xa6 ..\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6 77\n\n\n\nFigures\n\n   Figure 1:             Overview of Major CAPPS II System Components ........................................... 12\n\n\n\n\n\nPage 2                             TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data\n\x0c                                                                                            Contents\n\n\nAbbreviations\n\n  AAI         Airline Automation, Inc.\n  ACLU        American Civil Liberties Union\n  ATSA        Aviation and Transportation Security Act\n  ADI         Airline Data Interface\n  AVOPS       Transportation Security Administration, Aviation Operations\n  CAPPS       Computer Assisted Passenger Pre-screening System\n  CAPPS II    Computer Assisted Passenger Pre-screening System, Second Generation\n  CD          Compact Disc\n  CFR         Code of Federal Regulations\n  CIO         Chief Information Of\xef\xac\x81cer\n  CPO         Chief Privacy Of\xef\xac\x81cer\n  CRS         Computerized Reservation System\n  DARPA       Defense Advanced Research Projects Agency\n  DHS         Department of Homeland Security\n  DOD         Department of Defense\n  DOT         Department of Transportation\n  FAA         Federal Aviation Administration\n  Fed. Reg.   Federal Register\n  FOIA        Freedom of Information Act\n  FTP         File Transfer Protocol\n  GAO         Government Accountability Of\xef\xac\x81ce\n  GDS         Global Distribution System\n  IBM         International Business Machines Corporation\n  MOU         Memorandum of Understanding\n  OCC         Transportation Security Administration, Of\xef\xac\x81ce of Chief Counsel\n  OIG         Of\xef\xac\x81ce of Inspector General\n  OMB         Of\xef\xac\x81ce of Management and Budget, Executive Of\xef\xac\x81ce of the President\n  ONRA        Transportation Security Administration, Of\xef\xac\x81ce of National Risk Assessment\n  PIA         Privacy Impact Assessment\n  PNR         Passenger Name Record\n  RAE         Risk Assessment Engine\n  TSA         Transportation Security Administration\n  SCPC        Selectee Checkpoint Program Completion Team\n  U.S.C.      United States Code\n  USSS        United States Secret Service\n\n\n\n                        TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data         Page 3\n\x0cContents\n\n\n\n\n\nPage 4      TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data\n\x0cOIG\n\nDepartment of Homeland Security\nOf\xef\xac\x81ce of Inspector General\n\n\n    Introduction\n                               TSA has authority to access and obtain airline passenger data under provisions\n                               of its enabling statute, the Aviation and Transportation Security Act (ATSA)\n                               of November 2001.1 The Assistant Secretary2 for TSA may establish policies\n                               and procedures requiring airlines to provide passenger data in order to protect\n                               transportation security.3 The Assistant Secretary is further authorized to require\n                               \xe2\x80\x9cpassenger air carriers to share passenger lists \xe2\x80\xa6 for the purpose of identifying\n                               individuals who may pose a threat to aviation or national security.\xe2\x80\x9d4\n\n                               As the federal agency in charge of aviation security, TSA is also responsible\n                               for providing oversight of passenger pre-screening efforts.5 Since 1998, airline\n                               passenger pre-screening has been performed using a data analysis application\n                               called the Computer Assisted Passenger Pre-screening System (CAPPS). After\n                               TSA assumed oversight of passenger pre-screening in February 2002, the agency\n                               began developing a second generation system, CAPPS II, to improve upon the\n                               existing system. TSA no longer plans to implement CAPPS II, and recently\n                               announced its intention to proceed with the testing and deployment of a new\n                               passenger pre-screening system, Secure Flight. Through its efforts to implement\n                               the Secure Flight system, TSA will continue to work with airline passenger data.\n                               The agency\xe2\x80\x99s handling of airline passenger data will, therefore, continue as TSA\n                               seeks to ful\xef\xac\x81ll this mission.\n\n                               In February 2004, the Department of Homeland Security (DHS) Privacy Of\xef\xac\x81ce\n                               issued a Report to the Public on Events Surrounding jetBlue Data Transfer in\n\n\n    1\n      Public Law No. 107-71.\n\n    2\n      ATSA established TSA under the Department of Transportation. The head of TSA was the Under Secretary of \n\n    Transportation for Security. Under the Homeland Security Act of 2002, Public Law 107-296, TSA transferred to DHS. \n\n    The head of TSA is now referred to as the Assistant Secretary of Homeland Security for the Transportation Security \n\n    Administration. \n\n    3\n      49 U.S.C. \xc2\xa7 114(d)(1), \xc2\xa7 114(e), and \xc2\xa7 44901(a).\n\n    4\n      The Assistant Secretary must consult with the Transportation Security Oversight Board before establishing this requirement. \n\n    49 U.S.C. \xc2\xa7 114(h)(4).\n\n    5\n      49 U.S.C. \xc2\xa7 44903(j)(2).\n\n\n\n\n                                   TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data                       Page 5\n\x0c                           connection with one of the data exchanges covered in this review.6 In its report,\n                           the DHS Privacy Of\xef\xac\x81ce referred its \xef\xac\x81ndings to the DHS Of\xef\xac\x81ce of Inspector\n                           General (OIG) for further review.7 The U.S. Army OIG independently conducted\n                           an investigation into the same transfer and published a report on June 21, 2004.\n                           Neither of these reports addressed the other cases of airline passenger data sharing\n                           discussed in this review or TSA\xe2\x80\x99s disclosures associated with those exchanges.\n\n\n\nResults in Brief\n                           In reviewing TSA\xe2\x80\x99s role in the use and dissemination of airline passenger data,\n                           we focused on data sharing in three contexts.8 First, we examined TSA\xe2\x80\x99s efforts\n                           to support the provision of airline passenger data to other agencies and their\n                           contractors. Second, we explored airline passenger data transfers associated\n                           with the Second Generation, Computer Assisted Passenger Pre-screening System\n                           (CAPPS II). Third, we reviewed TSA\xe2\x80\x99s role in obtaining airline passenger data to\n                           improve the current CAPPS. We did not review TSA\xe2\x80\x99s use or transfer of airline\n                           passenger data for investigative, law enforcement, or other purposes.\n\n                           In addition to TSA\xe2\x80\x99s role in the use and dissemination of airline passenger data,\n                           we reviewed TSA\xe2\x80\x99s disclosures of information associated with its involvement in\n                           airline passenger data transfers. Finally, we reviewed measures TSA has taken to\n                           address data privacy and con\xef\xac\x81dentiality issues.\n\n                           We examined information related to TSA\xe2\x80\x99s role in fourteen transfers of airline\n                           passenger data.9 In two cases, these transfers did not result in any data review\n                           or analysis on the part of the recipients. Collectively, the remaining transfers\n                           involved more than 12 million records associated with passengers traveling on\n                           at least six air carriers \xe2\x80\x93 America West Airlines, American Airlines, Continental\n                           Airlines, Delta Air Lines, Frontier Airlines, and JetBlue Airways.\n\n\n\n\n6\n  JetBlue Airways\xe2\x80\x99 corporate logo represents the airline\xe2\x80\x99s name with a lowercase \xe2\x80\x9cj.\xe2\x80\x9d Accordingly, the DHS Privacy Of\xef\xac\x81ce \n\nspelled \xe2\x80\x9cjetBlue\xe2\x80\x9d with a lowercase \xe2\x80\x9cj\xe2\x80\x9d in its report. Because the airline\xe2\x80\x99s incorporated name, \xe2\x80\x9cJetBlue Airways Corporation,\xe2\x80\x9d \n\nappears with a capital \xe2\x80\x9cJ,\xe2\x80\x9d we have adopted this spelling in the body of our report.\n\n7\n  DHS Privacy Of\xef\xac\x81ce, Report to the Public on Events Surrounding jetBlue Data Transfer, February 20, 2004, p. 9.\n\n8\n  As used in this report, \xe2\x80\x9cdata sharing\xe2\x80\x9d refers to the transfer of data from one entity to another. Under this de\xef\xac\x81nition, data \n\nsharing includes the transfer of data in one direction, and does not necessarily imply two-way data transfers between the \n\nparties to the sharing.\n\n9\n  Under the de\xef\xac\x81nition above, a transfer of several sets of records from one entity to another is counted as a single transfer.\n\n\n\nPage 6                         TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data\n\x0cThe fourteen transfers took place between February 2002 and June 2003. In two\ninstances of airline passenger data exchange, TSA sought to support the national\nsecurity functions of other agencies by facilitating transfers. In eleven cases, TSA\nwas engaged in efforts to develop CAPPS II. In one case, TSA obtained records\nin order to study improvements to its existing CAPPS program. The information\nthat we gathered and analyzed with respect to all of these exchanges indicated\nthat, in each case, these data transfers were executed in the performance and\nsupport of TSA\xe2\x80\x99s responsibilities to improve transportation security.\n\nAccording to the parties who received data in all but three of these transfers, the\ntransferred data has been destroyed or is retained in a secured setting. The \xef\xac\x81rm\nassociated with the three remaining transfers did not provide information for our\nreview and, as a result, we have no information on the \xef\xac\x81nal disposition of related\npassenger data. In all but one case, information communicated in the transfers\nwas used for research purposes and did not result in any agency determinations\nregarding individuals re\xef\xac\x82ected in the data.\n\nIn its role in these transfers, however, TSA did not ensure that privacy protections\nwere in place for all of the passenger data transfers. While TSA applied privacy\nprotections in some contexts, shortcomings were also apparent in the agency\xe2\x80\x99s\nrelated contracting, oversight, and follow-up efforts.\n\nAlthough TSA and the Federal Aviation Administration (FAA), acting on\nTSA\xe2\x80\x99s behalf, included language safeguarding the security and con\xef\xac\x81dentiality\nof passenger information in some contracts and agreements, they did not do so\nin all cases. In one case, the parties to a data transfer did not sign any contract\nor agreement restricting the use or disclosure of shared data. Even when the\nparties to a data transfer were bound by agreement, TSA failed to monitor and\nenforce adherence to the terms of the agreement completely. In addition, TSA\ndid not consistently track the usage, security, or disposition of passenger data and\nwas, therefore, not in a position to determine whether such usage, security, or\ndisposition was appropriate.\n\nNevertheless, most of the transfers that we reviewed were executed between\nparties bound by agreements forbidding additional sharing or disclosure of\nthe passenger information. Of the more than 12 million records transferred, a\npassenger\xe2\x80\x99s data was inappropriately disclosed to the public in only one instance.\nIn this instance, a government contractor\xe2\x80\x99s inappropriate disclosure of information\nwas inadvertent.\n\n\n\n\n   TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data          Page 7\n\x0c                             CAPPS II and TSA staff viewed passenger data in only three cases. In one of\n                             those instances, TSA did not demonstrate the effective use of sound privacy\n                             practice.\n\n                             In 2003 and 2004, TSA of\xef\xac\x81cials made inaccurate statements regarding these\n                             transfers that undermined public trust in the agency. These misstatements\n                             were apparently not meant to mischaracterize known facts. Instead, they were\n                             premised on an incomplete understanding of the underlying facts at the time the\n                             statements were made.\n\n                             Errors in TSA\xe2\x80\x99s statements about these airline passenger data transfers arose from\n                             internal document collection efforts that were incomplete and, in one case, from\n                             inaccurate information from an airline. Early shortcomings in the production\n                             of related documents have been improved by recent efforts within the agency to\n                             provide for full disclosure.\n\n                             TSA\xe2\x80\x99s policy environment with respect to privacy has changed substantially\n                             since its inception. From its inception, TSA recognized personal privacy and\n                             con\xef\xac\x81dentiality as important concerns. Especially in the immediate aftermath\n                             of the September 11, 2001, attacks, \xef\xac\x81nding a balance between these concerns\n                             and transportation and aviation security was a dif\xef\xac\x81cult challenge. Over the past\n                             twenty months, a number of important changes have expanded the prominence\n                             of privacy concerns in the agency\xe2\x80\x99s operations. Major new privacy legislation\n                             is now in effect, and both DHS and TSA have dedicated staff to enforce this\n                             legislation.10 In addition, program changes and the evolving public relations\n                             position of the agency have helped foster a new organizational culture with\n                             respect to matters of privacy. While TSA continues to balance privacy and\n                             security, its declared commitments to both goals have been corroborated by its\n                             recent actions.\n\n                             We are recommending that the Assistant Secretary for Transportation Security, in\n                             coordination with the Chief Privacy Of\xef\xac\x81cer, as appropriate:\n\n                                  1. \t Develop clear protocols for obtaining airline passenger data and\n                                       facilitating its exchange among other parties.\n\n                                  2. \t Ensure privacy and personal data protections are written into acquisition\n                                       documents where performance may involve the collection, maintenance,\n                                       use, or dissemination of individually identi\xef\xac\x81able data.\n\n10\n     Title II of the E-Government Act of 2002, Public Law No. 107-347, went into effect on April 17, 2003.\n\n\nPage 8\t                          TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data\n\x0c                   3.   \t equire \xef\xac\x81nal reporting for acquisitions with intensive data analysis\n                        R\n                        or processing components that addresses data receipt, processing,\n                        distribution, utilization, and disposition, as well as attention to data\n                        security and privacy.\n\n                   4. \t Require entities performing work for TSA to report to the agency on how\n                        they are addressing data security, privacy protections, and con\xef\xac\x81dentiality.\n\n                   5. \t Re-evaluate TSA\xe2\x80\x99s response to FOIA requesters who solicited\n                        information in September 2003 regarding their airline passenger\n                        data. Such a reevaluation should, at minimum, involve the removal or\n                        amendment of the letter posted on TSA\xe2\x80\x99s FOIA reading room web site to\n                        re\xef\xac\x82ect the fact that TSA is in possession of JetBlue passenger data.\n\n                   6. \t Adopt procedures for responding to external and intra-departmental\n                        requests for information that help guarantee a comprehensive, timely, and\n                        reliable response.\n\n                   7. \t Appoint a TSA external privacy advisory board, as speci\xef\xac\x81ed in TSA\xe2\x80\x99s\n                        \xef\xac\x81ve-point plan, to review all agency privacy impact assessments, and, to\n                        provide consultation regarding the scope and methods of TSA supported\n                        data analysis and research involving individually identi\xef\xac\x81able data.\n\n                   8. \t Develop procedures that will provide a clear process to:\n                        (1) approve the agency\xe2\x80\x99s role in data sharing that involves individually\n                        identi\xef\xac\x81able information; and, (2) identify a particular employee\n                        responsible for monitoring the data security, usage, and \xef\xac\x81nal disposition\n                        of each transfer of individually identi\xef\xac\x81able information in which TSA\n                        becomes involved.\n\n\n\nBackground\n    The Computer Assisted Passenger Pre-screening System (CAPPS)\n\n               Prior to the terrorist attacks of September 11, 2001, U.S. airlines analyzed airline\n               passenger data to support aviation security for more than three years. Data\n               submitted to airlines in the course of commercial transactions was routinely\n               analyzed to identify \xe2\x80\x9cselectees\xe2\x80\x9d \xe2\x80\x93 individuals to receive additional security\n\n\n\n                  TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data\t               Page 9\n\x0c                         screening. This data analysis was performed using a computer application called\n                         CAPPS. The system was established in 1998, based on development efforts\n                         begun in 1994 at Northwest Airlines in conjunction with funding from the FAA.\n\n                         Aviation and security experts considered CAPPS an improvement in methods\n                         of screening potential threats to aviation from a large and expanding passenger\n                         base. The CAPPS program was structured to address various security, privacy,\n                         and civil rights concerns. First, to reduce predictability and mitigate efforts\n                         to reverse engineer the system, CAPPS included an element of randomness in\n                         passenger selections. Second, to address concerns about data retention, of\xef\xac\x81cials\n                         guaranteed that no CAPPS information on passengers was retained after the safe\n                         completion of their \xef\xac\x82ight. Third, to ensure that the system was not discriminatory,\n                         CAPPS was reviewed by the U.S. Department of Justice and determined not to\n                         discriminate illegally against travelers, or involve any invasion of passengers\xe2\x80\x99\n                         personal privacy.11\n\n                         There were inherent CAPPS limitations, however. The system\xe2\x80\x99s decentralization\n                         \xef\xac\x81gured prominently among these limitations. Signi\xef\xac\x81cantly, CAPPS was regulated\n                         by the FAA and operated by the airlines. The FAA supplied scoring rules for\n                         \xef\xac\x82agging selectees, and the airlines used these rules to evaluate their passenger\n                         data, generate scores for each passenger, and determine whether a passenger\n                         would be selected for further security scrutiny. The decentralized nature of the\n                         system complicated the process of updating rules to re\xef\xac\x82ect new information, such\n                         as intelligence about terrorist strategies and techniques.\n\n                         The CAPPS system was also restricted in its informational reach. The CAPPS\n                         analysis was limited to airline passenger data provided by passengers to airlines\n                         and reservations systems. It did not: (1) access information on passengers\n                         from publicly available commercial data sources; (2) analyze passenger data for\n                         international \xef\xac\x82ights operated by foreign carriers; or, (3) tap into information on\n                         government watch lists.\n\n                         These CAPPS limitations and other aviation security weaknesses were most\n                         evident with the multiple hijackings and terrorist attacks of September 11,\n                         2001. On that morning, the nineteen hijackers were screened prior to boarding\n                         four aircraft according to security measures in effect at the time. Seven of the\n                         hijackers were among passengers chosen for additional security scrutiny based\n                         on scores generated by CAPPS; two hijackers were selected for extra scrutiny\n\n11\n U.S. Department of Justice press release, \xe2\x80\x9cJustice Department Review of FAA Passenger Screening Proposal Concludes It\nWon\xe2\x80\x99t Discriminate Against Airline Travelers,\xe2\x80\x9d October 1, 1997.\n\n\nPage 10                      TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data\n\x0c                          by an airline representative who found them to be suspicious; and one hijacker\n                          was selected at random for additional security measures. As noted in the 9/11\n                          Commission Report, the only consequence of the hijackers\xe2\x80\x99 selection was that\n                          their checked bags were submitted to additional scrutiny.12\n\n        Second Generation Computer Assisted Passenger Pre-screening System\n        (CAPPS II)\n\n                          Authority to manage and regulate the CAPPS system was conferred upon TSA\n                          when it assumed civil aviation security functions and responsibilities performed\n                          by FAA on February 17, 2002.13 Department of Transportation (DOT) of\xef\xac\x81cials\n                          understood that TSA\xe2\x80\x99s November 2001 enabling statute, ATSA, mandated\n                          improvement of CAPPS; therefore, as early as December 2001, senior DOT\n                          of\xef\xac\x81cials started evaluating ideas for system improvements.\n\n                          On March 1, 2002, transportation of\xef\xac\x81cials chartered the formation of a team to\n                          develop a second-generation pre-screening system, CAPPS II. Administrative\n                          support for the project was provided under a contract with TRW, and information\n                          and personnel resources were drawn from throughout the government. The\n                          CAPPS II program budget and contracting staff came from the FAA\xe2\x80\x99s Technical\n                          Center in Atlantic City, New Jersey. Two special advisors to the Secretary\n                          of Transportation were brought in to provide technical expertise on system\n                          development. Just as early CAPPS II development efforts called on resources\n                          within DOT, so, too, was knowledge and expertise outside of the department\n                          sought. Staff from the Department of Defense\xe2\x80\x99s (DOD\xe2\x80\x99s) Defense Advanced\n                          Research Projects Agency (DARPA) evaluated proposals and shared technical\n                          insights during the March through June 2002 time frame.14 Also, CAPPS II\n                          program staff received consultative and evaluative assistance from of\xef\xac\x81cials\n                          working with the interagency Foreign Terrorist Tracking Task Force and U.S.\n\n\n12\n   TSA now provides additional screening of a selectee\xe2\x80\x99s person, in addition to their checked bags. See National Commission\non Terrorist Attacks Upon the United States, The 9/11 Commission Report, July 22, 2004, Chapter 1, \xe2\x80\x9cWe Have Some\nPlanes,\xe2\x80\x9d for more detail on the screening of the September 11, 2001 hijackers.\n13\n   Notice of Assumption of Civil Aviation Security Functions, 67 Fed. Reg. 7939 (Feb. 20, 2002).\n14\n   Regarded as experts in automated risk assessment and systems development, the DARPA staff who helped evaluate\nproposals in the spring of 2002 were af\xef\xac\x81liated with DARPA\xe2\x80\x99s now defunct Total Information Awareness project. The Total\nInformation Awareness project, which was later renamed \xe2\x80\x9cTerrorism Information Awareness,\xe2\x80\x9d aimed to help predict terrorist\nattacks by creating an electronic network with the capability to identify patterns of suspect activity in commercial and\ngovernment data systems. After expressions of concern by privacy advocates, Congress eliminated funding for the project in\nthe 2004 Department of Defense appropriation (Public Law No. 108-87 \xc2\xa7 8131(a)). Apart from this limited consultation, we\nfound no other linkage between the CAPPS II program and the Total Information Awareness effort.\n\n\n                              TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data                    Page 11\n\x0c                           Customs. The MITRE Corporation also supported the CAPPS II proposal review\n                           and contracting process.\n\n                           During the July through August 2002 time frame, management and oversight of\n                           CAPPS II development efforts shifted from the DOT chief information of\xef\xac\x81cer\xe2\x80\x99s\n                           (CIO\xe2\x80\x99s) of\xef\xac\x81ce to the TSA CIO\xe2\x80\x99s of\xef\xac\x81ce. Both the executive sponsor15 and the\n                           program manager for the initiative changed. Program management changed once\n                           more in November 2002, when the project was moved to TSA\xe2\x80\x99s Of\xef\xac\x81ce of National\n                           Risk Assessment (ONRA).\n\n                           Despite changes in program management, the fundamental concept behind\n                           CAPPS II remained constant. From early 2002 forward, plans for an effective\n                           CAPPS II system depended on the interplay of two major system components.\n                           One system component, the Risk Assessment Engine (RAE), was to con\xef\xac\x81rm the\n                           identity and assess the risk of passengers to aviation security. The other system\n                           component, the Airline Data Interface (ADI), in turn, was to serve as the conduit\n                           for passenger data to and from the RAE.\n\n                                      Figure 1. Overview of Major CAPPS II System Components\n\n     Airline Passenger\n      Data Systems                                Airline Data Interface                           Risk Assessment Engine\n                                                          (ADI)                                            (RAE )\n\n                                                      Passenger Data\n                                                                                                             Identity\n                                                   Converted to Standard\n                                                                                                            Verification\n                                                     Format for RAE\n\n         Varied\n         Airline\n        Passenger\n          Data\n                                                   Passenger Data Plus\n                                                                                                                Risk\n                                                  RAE Score Returned to\n                                                                                                             Assessment\n                                                    Original Format\n\n\n\n\n15\n  An executive sponsor is typically responsible for: (1) providing general guidance to the project team, (2) serving as liaison\nbetween departmental leadership and the program manager, and (3) advocating for changes needed for effective program\ndevelopment at the leadership level.\n\n\nPage 12                        TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data\n\x0c                            Prior to the system\xe2\x80\x99s deployment, TSA needed to establish that CAPPS II and\n                            its constituent parts would function properly in a real world setting. Therefore,\n                            it was necessary to test the system\xe2\x80\x99s prototypes and components. The ADI\n                            component required testing to demonstrate that it could process large volumes\n                            of diversely structured data into a common format and return data in its original\n                            format with an appended passenger risk indicator. Testing was necessary because\n                            airline passenger data is maintained in a number of Computerized Reservation\n                            Systems (CRSes) and Global Distribution Systems (GDSes) that accumulate\n                            disparate sets of passenger data in varied formats. While some passenger data\n                            systems host limited information, others possess extensive data on individuals,\n                            including the details of past travel, car and hotel reservation plans, dates of birth,\n                            phone numbers, e-mail addresses, residential and business addresses, and credit\n                            card information. Records that re\xef\xac\x82ect detail on individual passengers\xe2\x80\x99 travel plans\n                            and booking information are known as Passenger Name Records (PNRs). ADI\n                            speci\xef\xac\x81cations required that it have the initial capability to process two million\n                            individual PNRs daily.\n\n                            For the RAE component, a demonstration was necessary to prove that the system\n                            could perform identity authentication functions using commercial data and cross-\n                            reference passenger data against government watch lists. The effectiveness of\n                            matching watch list information with commercial databases could be tested only\n                            using information on real people. Accordingly, on some scale it was necessary to\n                            use data on real people for RAE testing.\n\n           Statutory Requirements\n\n                            In addition to the technical and functional challenges that TSA faced in pursuit\n                            of its mandate to pre-screen airline passengers, two statutes affected CAPPS II\n                            development: the Privacy Act and the E-Government Act.16\n\n                            The Privacy Act contains a number of noteworthy data privacy protections.\n                            Provisions of the law, for example, restrict improper access to and disclosure of\n                            personal information. The Privacy Act also includes requirements that federal\n                            agencies publish information about records systems they maintain. The failure\n                            to comply with these and other aspects of the law can result in civil or criminal\n                            penalties.\n\n\n\n\n16\n     See Appendix G for further information on the Privacy Act and the E-Government Act.\n\n\n                                TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data         Page 13\n\x0c                         These provisions of the Privacy Act are invoked, however, only when an agency\xe2\x80\x99s\n                         records meet the legal standard for a \xe2\x80\x9csystem of records.\xe2\x80\x9d A number of criteria\n                         must be met for a set of records to meet the standard for a system of records\n                         under the law. One criterion for meeting this standard is that an agency\xe2\x80\x99s records\n                         must be retrieved or accessed by the agency, or a proxy for the agency, using an\n                         individually identifying particular, such as name or social security number.\n\n                         Under the Privacy Act, notices for all government systems of record are to be\n                         published in the Federal Register. Published systems of record notices document\n                         the authorities under which the government agency maintains the system of\n                         records, the purpose the system serves, the types of records contained in the\n                         system, and their routine uses. In response to this provision of the Privacy Act,\n                         DOT published an initial system of records notice for CAPPS II on January 15,\n                         2003.17 After reviewing public comments on the initial CAPPS II notice, TSA\n                         issued a revised Interim Final Notice for CAPPS II on August 1, 2003.18\n\n                         Important provisions of the E-Government Act, a more recent statute applicable\n                         to CAPPS II development, took effect in April 2003. The E-Government Act\n                         requires all agencies to conduct Privacy Impact Assessments (PIAs) for new\n                         information technology investments and new electronic information systems\n                         and collections. The PIA development process was designed to ensure that data\n                         handling complies with relevant laws, that agencies consider the risks and effects\n                         of their data systems, and that they examine system design alternatives to reduce\n                         privacy risks. Ultimately, PIAs result in published documents that address the\n                         above speci\xef\xac\x81ed issues and provide greater detail about government information\n                         systems than are required for Privacy Act system of records notices.19\n\n          Public Disclosure of Information\n\n                         To foster development and testing of CAPPS II and support improvements to the\n                         original CAPPS, TSA participated in twelve airline passenger data transfers in\n                         2002 and 2003. TSA had a role in two additional passenger data transfers in 2002\n                         to support the work of other agencies. The public\xe2\x80\x99s \xef\xac\x81rst awareness of any of these\n                         transfers came in September 2003.\n\n                         In September 2003, the media reported on a transfer of JetBlue Airways passenger\n                         data to DOD subcontractor Torch Concepts. TSA\xe2\x80\x99s initial explanations regarding\n\n17\n   68 Fed. Reg. 2101 (Jan. 15, 2003).\n\n18\n   68 Fed. Reg. 45265 (Aug. 1, 2003).\n\n19\n   See Appendix G for more information on the Privacy Act and E-Government Act.\n\n\n\nPage 14                      TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data\n\x0c                          this transfer indicated that the agency had provided only an introduction between\n                          the two parties. Later, TSA disclosed that it had requested in writing that JetBlue\n                          provide passenger data to Torch Concepts.\n\n                          Senators, privacy advocacy groups, and the media initiated a series of requests\n                          for information following the release of these stories and statements regarding the\n                          data transfer to Torch Concepts. The DHS Privacy Of\xef\xac\x81ce and the Army OIG later\n                          conducted inquiries into the data transfer.\n\n                          On February 20, 2004, the DHS Privacy Of\xef\xac\x81ce issued a Report to the Public\n                          on Events Surrounding jetBlue Data Transfer that addressed the transfer of\n                          airline passenger data from JetBlue to Torch Concepts. The DHS Privacy Of\xef\xac\x81ce\n                          found no violations of the Privacy Act on the part of TSA employees. However,\n                          according to the report, it was \xe2\x80\x9cbeyond the scope of the Privacy Of\xef\xac\x81ce to\n                          determine whether these employees may have otherwise exceeded the normal\n                          scope of TSA operations.\xe2\x80\x9d20 Accordingly, we decided to review TSA\xe2\x80\x99s use and\n                          dissemination of airline passenger data in this and all other relevant cases.\n\n                          The Army OIG conducted a separate inquiry into the same transfer and issued\n                          a report on June 21, 2004.21 The Army OIG report found that its subcontractor,\n                          Torch Concepts, did not violate the Privacy Act in its receipt and analysis of the\n                          JetBlue data.\n\n                          In April 2004, American Airlines released a statement saying that in June 2002, at\n                          the request of TSA, some passenger travel data was turned over by an American\n                          Airlines vendor to four research companies vying for contracts with TSA. The\n                          same month, the vendor, Airline Automation, Inc. (AAI), released a press\n                          statement saying that it provided American PNR data in 2002 to four companies\n                          that were then testing aviation security systems for TSA.\n\n                          In light of past TSA statements that the CAPPS II program had not used airline\n                          passenger data for testing, the disclosure that companies working with TSA\n                          obtained airline passenger data in 2002 to test aviation security systems fueled\n                          public assertions and reports that the agency was withholding information about\n                          its operations.\n\n\n20\n   Department of Homeland Security, Privacy Of\xef\xac\x81ce, Report to the Public on Events Surrounding jetBlue Data Transfer, \n\nFebruary 20, 2004, p. 9.\n\n21\n   U.S. Department of Defense, Department of the Army, Of\xef\xac\x81ce of the Inspector General, Report of Investigation \n\n04-007, JetBlue, (hereinafter referred to as Army OIG Report), June 21, 2004.\n\n\n\n                              TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data                   Page 15\n\x0c              These reports were reinforced by later TSA disclosures that it had used airline\n              passenger data for testing CAPPS II prototypes. On June 23, 2004, TSA\xe2\x80\x99s\n              Acting Administrator, in a nomination hearing to become Assistant Secretary\n              of Homeland Security for TSA, revealed more information about TSA\xe2\x80\x99s role\n              in the transfer of airline passenger data. The Acting Administrator submitted\n              a document for the congressional record that speci\xef\xac\x81ed the use of six airlines\xe2\x80\x99\n              passenger data for CAPPS II prototype testing.\n\n\n\nPurpose, Scope, and Methodology\n              We conducted this review to determine whether TSA\xe2\x80\x99s role and actions in the use\n              and dissemination of airline passenger data were appropriate. Also, the review\n              was conducted to resolve confusion about TSA\xe2\x80\x99s involvement in cases of airline\n              passenger data sharing and to identify the cause of this confusion.\n\n              We framed our review around three objectives:\n\n                  \xe2\x80\xa2 \t Present a comprehensive summary of TSA\xe2\x80\x99s role in the analysis and\n                      transfer of airline passenger data;\n                  \xe2\x80\xa2 \t Assess the extent to which TSA was forthcoming in disclosing\n                      information related to these transfers; and\n                  \xe2\x80\xa2 \t Evaluate TSA\xe2\x80\x99s current operating environment with respect to matters of\n                      privacy and the sharing and exchange of passenger data.\n\n              Our \xef\xac\x81eldwork was carried out from April to August 2004. This \xef\xac\x81eldwork\n              included substantial \xef\xac\x81le reviews and more than 40 interviews. We interviewed\n              TSA personnel at headquarters and several TSA \xef\xac\x81eld of\xef\xac\x81ces, as well as personnel\n              from other agencies. Among those interviewed were: the former Deputy\n              Secretary of Transportation; the former DOT chief information of\xef\xac\x81cer designate;\n              the former TSA deputy administrator; the DHS chief privacy of\xef\xac\x81cer (CPO); the\n              Of\xef\xac\x81ce of National Risk Assessment director; the TSA chief information of\xef\xac\x81cer;\n              the TSA associate director of the Freedom of Information Act and Privacy Act\n              Division; and the TSA chief counsel.\n\n              Additionally, we interviewed or queried CAPPS II program contractors,\n              cooperative agreement recipients, and grantees; select airlines; global distribution\n              systems; and airline data aggregators. We contacted all of the early CAPPS II\n              prototype vendors: Ascent Technology, Inc.; HNC Software, Inc.; Infoglide\n              Software Corporation; International Business Machines Corporation (IBM);\n\n\nPage 16\t         TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data\n\x0c                and the Lockheed Martin Corporation. After identifying contacts for each \xef\xac\x81rm,\n                we requested interviews. Each of the companies made it clear that they were\n                not willing to submit to an interview. As a substitute for interviews, we sent\n                questionnaires to each of the companies. HNC Software/Fair Isaac was the\n                only vendor that did not respond to our questionnaire. We incorporated the\n                other companies\xe2\x80\x99 responses in the draft where appropriate. We also interviewed\n                representatives from Acxiom, Airline Automation, Inc., Delta Air Lines, Galileo,\n                JetBlue Airways, Sabre Holdings, and Torch Concepts.\n\n                These efforts were supplemented by the review of CAPPS II program and\n                contracting \xef\xac\x81les, as well as materials that TSA components submitted to the TSA\n                FOIA of\xef\xac\x81ce in response to related FOIA requests.\n\n                TSA\xe2\x80\x99s leadership, persons involved in CAPPS II development, and TSA\xe2\x80\x99s rank\n                and \xef\xac\x81le staff all made themselves available to us during the course of our inquiry\n                and, in many cases, provided indispensable support.\n\n                This special review was conducted under the authority of the Inspector General\n                Act of 1978, as amended and according to inspections standards promulgated by\n                the President\xe2\x80\x99s Council on Integrity and Ef\xef\xac\x81ciency.\n\nTSA\xe2\x80\x99s Role in Airline Passenger Data Transfers\n                To repeat, we reviewed TSA\xe2\x80\x99s role in airline passenger data transfers in three\n                operational contexts. First, we reviewed TSA\xe2\x80\x99s role in airline passenger data\n                transfers to support other federal agencies. Second, we explored airline passenger\n                data transfers associated with CAPPS II. Third, we reviewed TSA\xe2\x80\x99s role in\n                obtaining airline passenger data to improve the current CAPPS system.\n\n     Data Transfers to Support Other Federal Agencies\n\n                TSA facilitated airline passenger data sharing to support the national security\n                functions of other agencies in two cases. In the \xef\xac\x81rst instance, TSA assisted the\n                U.S. Secret Service (USSS) in obtaining data to assist with the security efforts\n                at the Salt Lake City Winter Olympics in early 2002. In the other case, CAPPS\n                II program staff requested that JetBlue furnish passenger records to an Army\n                subcontractor, Torch Concepts, for its work on a base security enhancement\n                project.\n\n\n\n\n                   TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data        Page 17\n\x0c                           United States Secret Service\n\n                           The 2002 Winter Olympics in Salt Lake City, Utah, was designated a \xe2\x80\x9cNational\n                           Security Special Event.\xe2\x80\x9d With this designation, the USSS became the lead agency\n                           for designing, planning, and implementing security.22 USSS security coordination\n                           for the Olympics included collaboration with TSA.\n\n                           The USSS assistant director for Protective Research sent a letter, dated January\n                           11, 2002, to the FAA deputy associate administrator for Civil Aviation Security\n                           requesting a civil aviation security directive authorizing dissemination of airline\n                           passenger information to the USSS to support efforts to coordinate security at the\n                           Olympics. In addition, this information would facilitate the evaluation of a new\n                           project that included a process \xe2\x80\x9cto allow federal law enforcement the capability\n                           of name checking passengers against selected law enforcement databases.\xe2\x80\x9d\n                           The project drew on coordination among the USSS, Delta Air Lines, ARINC\n                           Incorporated (an aviation communications and engineering company), and\n                           InRange Technology Corporation, an information technology \xef\xac\x81rm.\n\n                           On February 5, 2002, TSA directed Delta to provide airline passenger data to the\n                           USSS to enhance security for the 2002 Winter Olympic Games.23 TSA issued\n                           this authorization by security directive, a power the administrator of TSA may\n                           use to mandate actions on the part of aviation sector entities to respond to threat\n                           assessments or speci\xef\xac\x81c threats against civil aviation.24 In this case, TSA\xe2\x80\x99s security\n                           directive expressly ordered Delta to provide PNR and other customer information\n                           details, including dates of birth, to the USSS. It authorized Delta to provide\n                           this information for all passengers traveling on \xef\xac\x82ights through February 26,\n                           2002, to locations hosting Olympic events and any other venues selected by the\n                           USSS or its partners.25 In addition, it speci\xef\xac\x81ed that data recipients were to limit\n                           dissemination of the passenger data strictly to personnel in their organizations\n                           with an operational need-to-know. No airline other than Delta was subject to this\n                           security directive.\n\n\n\n22\n   18 U.S.C. \xc2\xa7 3056(e)(1).\n23\n   Security Directive 108-02-02, signed February 5, 2002.\n24\n   14 CFR \xc2\xa7 108.305. Effective February 17, 2002, this provision was transferred to 49 CFR \xc2\xa7 1544.305, 67 Fed. Reg. 8340\n(Feb. 22, 2002).\n25\n   According to the TSA security directive, Delta was authorized to provide passenger data for passengers on \xef\xac\x82ights beginning\non February 1, 2001. Delta of\xef\xac\x81cials report, however, that this was a typographical error in the security directive and that the\nTSA administrator manually changed the date to February 1, 2002, on Delta\xe2\x80\x99s signed copy. Because the security directive\nalso notes that the USSS believed data collected a year before the Olympics may be relevant to event security, we believe the\nauthorization was intended to apply to data from February 1, 2001 forward.\n\n\nPage 18                        TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data\n\x0c                         Pursuant to the security directive, Delta provided airline passenger data to the\n                         USSS. To set out parameters for USSS handling of its passenger data, Delta\n                         signed a Memorandum of Understanding (MOU) with the USSS on February\n                         8, 2002. The MOU set boundaries on data disclosure and speci\xef\xac\x81ed that the\n                         data would be destroyed as soon as possible following the security directive\xe2\x80\x99s\n                         expiration date. Passenger data disclosure was restricted to the following parties:\n\n                              \xe2\x80\xa2 \t USSS staff with an operational need to know;\n                              \xe2\x80\xa2 \t Other governmental agencies, as necessary, to execute legitimate law\n                                  enforcement activities; and\n                              \xe2\x80\xa2 \t USSS partners, ARINC and InRange.\n\n                         Delta of\xef\xac\x81cials said that its airline passenger records were transferred over a\n                         private, secure encrypted network. The passenger records that it furnished to the\n                         USSS corresponded to incoming \xef\xac\x82ights to airports in the vicinity of Salt Lake\n                         City, Utah. The USSS received only a subset of information contained within\n                         Delta\xe2\x80\x99s passenger name records, including \xef\xac\x81rst and last name, address, phone\n                         number, and \xef\xac\x82ight information. The airline said it restricted the information it\n                         shared with the USSS to a minimum.\n\n                         Once received, according to the USSS, the records were stored on a stand-alone\n                         computer in a secure location and were not shared with any parties outside the\n                         USSS. The USSS does not know the exact number of records it received, but it\n                         reports that they were all destroyed following the Olympics. The USSS used the\n                         data to determine whether individuals of interest to the agency were traveling in\n                         the vicinity of the Olympics. In the process, the USSS also assessed the quality of\n                         its pilot program with Delta, InRange, and ARINC.\n\n                         At no time were Delta passenger records relating to this transfer transmitted or\n                         otherwise provided to TSA. TSA did not facilitate the transfer of any additional\n                         passenger data in relation to the Olympics. TSA\xe2\x80\x99s security directive expired with\n                         the conclusion of the Olympics.\n\n                         At the time of the passenger data transfer, the USSS maintained a declared\n                         system of records that TSA asserts applied to the acquisition and analysis of these\n                         passenger records. In particular, TSA holds that the USSS August 28, 2001,\n                         Privacy Act systems of record notice for its Protection Information System covers\n                         the airline passenger data it received in February 2002.26 The declared categories\n\n26\n U.S. Department of Homeland Security, Transportation Security Administration, Of\xef\xac\x81ce of Chief Counsel, Report on\nPassenger Name Record Data Exchanges Involving Projects to Improve Passenger Screening, August 18, 2004, p. 62.\n\n\n                             TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data\t                Page 19\n\x0c                           of records associated with this USSS system include \xe2\x80\x9crecords containing\n                           information compiled for the purpose of identifying and evaluating individuals\n                           who may constitute a threat to the safety of persons or security of areas protected\n                           by the USSS.\xe2\x80\x9d27\n\n                           Army Subcontractor Torch Concepts\n\n                           JetBlue Passenger Data Transfer\n\n                           Torch Concepts is a small Huntsville, Alabama, \xef\xac\x81rm with proprietary data\n                           analysis software that it operates under the name \xe2\x80\x9cAcumen.\xe2\x80\x9d According to Torch\n                           Concepts\xe2\x80\x99 Chief Executive Of\xef\xac\x81cer, the \xef\xac\x81rm previously had done work for the\n                           military and considered applying its technology to a broader array of homeland\n                           security efforts after September 11, 2001.\n\n                           In March 2002, Torch Concepts became a subcontractor of SRS Technologies\n                           on the Army\xe2\x80\x99s Base Security Enhancement Study.28 The Army enlisted Torch\n                           Concepts\xe2\x80\x99 services to prove the feasibility of its approach to uncovering terrorist\n                           activities. Under the terms of its task order, Torch Concepts was to use its\n                           software to search airline passenger data for terrorists whose records were to be\n                           added to the passenger data set used in the analysis.\n\n                           Torch Concepts had dif\xef\xac\x81culty securing the data that were essential to meet the\n                           terms of its subcontract. After initial overtures to Delta and American failed to\n                           yield data, Torch Concepts sought TSA\xe2\x80\x99s assistance.29\n\n                           On June 4, 2002, Torch Concepts met with the Army technical representative for\n                           the \xef\xac\x81rm\xe2\x80\x99s subcontract, the CAPPS II executive sponsor, the CAPPS II program\n                           manager, and a DOT congressional liaison. At the meeting, Torch Concepts\n                           discussed its work for the Army and gave a presentation on its Acumen software.\n                           According to Torch Concepts, CAPPS II was not discussed during the meeting.\n                           By the date of this meeting, the CAPPS II program team had agreements with\n                           four companies to develop CAPPS II risk assessment prototypes. Because they\n\n\n27\n   Treasury/USSS.007, United States Secret Service Notice of Systems of Records, 66 Fed. Reg. 45362 (Aug. 28, 2001).\n\n28\n   SRS Technologies was the prime contractor for this study, while Torch Concepts received funding for its proof-of-principle. \n\nA proof-of-principle establishes that a given tool or concept can be used to solve a given kind of problem. In this case, \n\nTorch Concepts was to prove that its Acumen software was capable of solving problems similar to those encountered in base \n\nsecurity settings.\n\n29\n   These overtures to Delta and American occurred during December 2001 and January 2002, months before the Army \n\nsubcontract with Torch Concepts. \n\n\n\nPage 20                        TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data\n\x0c                          had already selected vendors for this aspect of CAPPS II, program staff did not\n                          consider Torch Concepts a prospective partner in system development.\n\n                          The former CAPPS II program manager said that, following the initial meeting\n                          with Torch Concepts, the CAPPS II\xe2\x80\x99s executive sponsor instructed him to assist\n                          Torch Concepts. In our interview with the former CAPPS II executive sponsor, he\n                          could not recall having given such an instruction, but said that it was possible that\n                          he did so. We could \xef\xac\x81nd no documentary evidence that would settle the matter.\n\n                          On June 12, 2004, the Army\xe2\x80\x99s technical representative overseeing the Torch\n                          Concepts subcontract e-mailed the CAPPS II program manager. It is clear from\n                          this e-mail that the technical representative understood TSA was to provide\n                          a \xe2\x80\x9csample airline reservation data set\xe2\x80\x9d for Torch Concepts. An attachment\n                          setting out Torch Concepts\xe2\x80\x99 program scope and plans for its proof-of-principle\n                          speci\xef\xac\x81cally itemizes the airline reservation data elements Torch Concepts\n                          required.\n\n                          Three additional meetings between CAPPS II program representatives and\n                          representatives of the Army or Torch Concepts took place during June and\n                          July 2002. Over the course of these meetings, Torch Concepts developed an\n                          understanding that TSA would provide the company with a PNR database.\n\n                          In late July, the CAPPS II program manager contacted JetBlue Airways to request\n                          the airline\xe2\x80\x99s assistance in securing passenger data for Torch Concepts. After\n                          soliciting JetBlue\xe2\x80\x99s assistance over the phone, the CAPPS II program manager\n                          followed up with an e-mail on July 31, 2002, to JetBlue\xe2\x80\x99s director of Corporate\n                          Security. This e-mail included an attached memorandum titled \xe2\x80\x9cRequest for PNR\n                          Data for a Department of Defense (DOD) Proof of Concept.\xe2\x80\x9d The memorandum\n                          brie\xef\xac\x82y described Torch Concepts\xe2\x80\x99 DOD related work, requested the assistance\n                          of JetBlue in providing passenger data, and articulated the process whereby\n                          JetBlue passenger data should be provided to Torch Concepts. The memorandum\n                          speci\xef\xac\x81ed that JetBlue should provide PNRs to Torch Concepts via a JetBlue\n                          contractor, Acxiom, Inc.30 It also stated that \xe2\x80\x9cany non-disclosure agreements that\n                          need[ed] to be executed [could] be exchanged directly between the parties with\n                          copies provided to both DOD and TSA.\xe2\x80\x9d\n\n                          The former CAPPS II program manager said that he did not believe that he had\n                          the authority himself to send such a request, but that he had received general\n\n30\n  Acxiom is a commercial database management company that provides data services to a wide range of clients, including\nseveral airlines.\n\n\n                             TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data                  Page 21\n\x0c                          authorization from the CAPPS II executive sponsor to assist Torch Concepts.\n                          Neither the CAPPS II executive sponsor, nor the DOT Deputy Secretary who had\n                          an active role in CAPPS II planning, reports having had any contemporaneous\n                          knowledge of the JetBlue data transfer to Torch Concepts.\n\n                          In September 2002, Acxiom provided Torch Concepts with approximately\n                          \xef\xac\x81ve million JetBlue PNRs representing 2,226,715 passengers. These records\n                          corresponded to JetBlue passengers traveling over a 33-month period. Torch\n                          Concepts received this data set in an encrypted format via a File Transfer Protocol\n                          (FTP) web site maintained by Acxiom. Before the data transfer, Torch Concepts\n                          and Acxiom entered into a con\xef\xac\x81dentiality agreement that bound both parties to\n                          maintain the con\xef\xac\x81dentiality of passenger data.31\n\n                          After evaluating the JetBlue PNRs, Torch Concepts found that the data did not\n                          have certain elements the \xef\xac\x81rm anticipated using to establish its proof.32 Torch\n                          Concepts then purchased supplementary demographic information on passengers\n                          from Acxiom. This commercially available dataset of demographic information\n                          included social security numbers, salary data, housing ownership indicators, and\n                          length of residence, among other information. Acxiom matched the demographic\n                          data to the JetBlue airline passenger data and provided it to Torch Concepts.\n\n                          The combined data set contained certain ambiguities and anomalies that Torch\n                          Concepts believed it had to resolve before proceeding with its proof. To study\n                          ways to resolve these data issues, Torch Concepts accessed a limited number\n                          of records corresponding to individual passengers. After discarding certain\n                          anomalous records, Torch Concepts stripped passenger names and deleted all but\n                          two digits of passengers\xe2\x80\x99 social security numbers.\n\n                          Torch Concepts followed the same internal security procedure each time it\n                          received data from Acxiom. In each case, Torch Concepts decrypted the \xef\xac\x81les it\n                          received via Acxiom\xe2\x80\x99s FTP site and then disconnected the host computer from the\n                          internet and intranet. Only one Torch Concepts employee was permitted access to\n                          the data.\n\n                          According to Torch Concepts, the data on JetBlue passengers remained secure\n                          and was not disclosed in violation of Torch Concepts\xe2\x80\x99 con\xef\xac\x81dentiality agreement\n\n\n31\n  Torch Concepts and Acxiom entered into a con\xef\xac\x81dentiality agreement on April 25, 2002. \n\n32\n  Torch Concepts speci\xef\xac\x81cally mentioned passenger miles \xef\xac\x82own during the past year and over the passengers\xe2\x80\x99 lifetime, and \n\nfrequent \xef\xac\x82ier club membership.\n\n\n\nPage 22                       TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data\n\x0c                         until April 2003, when a representative of the \xef\xac\x81rm gave a presentation at a\n                         software developers\xe2\x80\x99 conference. On April 4, 2003, Torch Concepts delivered\n                         a presentation at the Southeastern Software Development Conference. Torch\n                         Concepts reports that this presentation was intended for delivery to the Army and\n                         was inadvertently given to a wider audience.\n\n                         A slide in the presentation displayed \xe2\x80\x9cAnomalous Information on One\n                         Passenger.\xe2\x80\x9d This slide presented forty-two lines of data with addresses, social\n                         security numbers, dates of birth, and indicators of length of residence. Torch\n                         Concepts developed this slide to highlight the challenges it faced in analyzing the\n                         sometimes confusing data it received on individual passengers. To support this\n                         point, Torch Concepts displayed mixed information from Acxiom\xe2\x80\x99s demographic\n                         data set that had been matched to data from a single JetBlue passenger. According\n                         to an attorney for Torch Concepts, this data was selected because it contained\n                         numerous anomalies. The demographic data presented on the slide includes\n                         twenty-three different addresses and three social security numbers. To present\n                         anomalous demographic data that had been matched to one passenger instead\n                         of several, Torch Concepts picked out and displayed records with the same\n                         identifying key.33\n\n                         Together with the rest of Torch Concepts\xe2\x80\x99 April 2003 presentation, this slide\n                         was later posted on the internet. As a result, sensitive information associated\n                         with a JetBlue passenger became freely and publicly available. Torch Concepts\xe2\x80\x99\n                         subsequent efforts to remove the presentation from the internet have failed.\n\n                         In September 2003, Torch Concepts attempted to delete all electronic passenger\n                         and demographic data associated with its subcontract. A subsequent audit of\n                         Torch Concepts\xe2\x80\x99 \xef\xac\x81les, however, revealed that traces of some data remained. Torch\n                         Concepts forwarded these to its attorney, who retains the system hardware with\n                         the data in a secure setting.\n\n                         After 2002, TSA did not coordinate with Torch Concepts on the progress or\n                         results of the Army Base Security Enhancement Study. Despite the CAPPS II\n                         program manager\xe2\x80\x99s request for copies of non-disclosure agreements executed in\n                         support of the JetBlue data transfer, Torch Concepts never provided a copy of its\n                         con\xef\xac\x81dentiality agreement to TSA.\n\n\n\n33\n  This identifying key was developed by Acxiom and provided to Torch Concepts as a data element in the demographic data\nset.\n\n\n                             TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data                  Page 23\n\x0c                           Summary Findings\n\n                           Early TSA and CAPPS II efforts were pursued in an environment of \xe2\x80\x9ccontrolled\n                           chaos\xe2\x80\x9d and \xe2\x80\x9ccrisis mode\xe2\x80\x9d after the September 11 attacks. Management changes\n                           were frequent and chains of command were blurred. Two years later, a clear\n                           line of authorization for TSA\xe2\x80\x99s request to JetBlue cannot be established. Despite\n                           the former CAPPS II program manager\xe2\x80\x99s belief that he did not have authority\n                           to make a request of JetBlue, many of TSA\xe2\x80\x99s current and former staff, including\n                           TSA\xe2\x80\x99s former deputy administrator and an attorney with TSA\xe2\x80\x99s chief counsel,\n                           believe that he did. The former DOT Deputy Secretary said that while he\n                           did not authorize TSA\xe2\x80\x99s involvement in the Torch Concepts transfer at the\n                           time, he accepted responsibility for it. The former Deputy Secretary\xe2\x80\x99s \xe2\x80\x9ctitular\n                           accountability,\xe2\x80\x9d however, does not answer the question of whether the CAPPS\n                           II program manager had actual authority to authorize the exchange or had been\n                           authorized by someone with authority to do so. We found no regulation or\n                           directive that explains how requests like Torch Concepts\xe2\x80\x99 are to be evaluated or by\n                           whom they may be approved.\n\n                           Despite the ambiguity in how the request from Torch Concepts was processed\n                           for approval, TSA\xe2\x80\x99s limited role in this data transfer was in compliance\n                           with its governing statutes. TSA is responsible for security in all modes of\n                           transportation.34 Among TSA\xe2\x80\x99s duties and powers is transportation security\n                           planning, which includes \xe2\x80\x9ccoordinating countermeasures with appropriate\n                           departments.\xe2\x80\x9d35 TSA also has power to require airlines to produce passenger\n                           data.36\n\n                           In a communication with the CAPPS II program manager, the Army\xe2\x80\x99s technical\n                           representative listed security enhancements to \xe2\x80\x9ctransportation transactions\xe2\x80\x9d as\n                           one of four issues that the Army sought to determine whether Torch Concepts\xe2\x80\x99\n                           software could address.37 Because Torch Concepts\xe2\x80\x99 work supported the\n                           transportation security objective of another department, the CAPPS II program\n                           manager\xe2\x80\x99s request for JetBlue to provide data to Torch Concepts was within the\n                           scope of TSA\xe2\x80\x99s transportation security planning duties.\n\n\n\n\n34\n   49 U.S.C. \xc2\xa7114(d).\n\n35\n   49 U.S.C. \xc2\xa7114(f)(4).\n\n36\n   49 U.S.C. \xc2\xa7114(d) (1), \xc2\xa7114 (e), \xc2\xa7114 (h)(4), and \xc2\xa744901(a).\n\n37\n   This reference to \xe2\x80\x9ctransportation transactions\xe2\x80\x9d is present in the program scope document that was e-mailed to the CAPPS II \n\nprogram manager by the Army technical representative on June 12, 2002.\n\n\n\nPage 24                       TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data\n\x0c                            TSA\xe2\x80\x99s request for JetBlue to provide PNRs to a DOD subcontractor fell within the\n                            scope of TSA operations. Analysis of related documentation and discussions with\n                            past and present staff support the position that TSA\xe2\x80\x99s assistance to Torch Concepts\n                            stemmed from an interest in supporting the national security mission of another\n                            department as it applied to transportation security.\n\n           Data Transfers Associated with CAPPS II Development\n\n                            Eleven airline passenger data transfers took place during CAPPS II development\n                            efforts. In each case, the transfers were pursued to establish the operability of\n                            prototype and component systems. Four of the data transfers resulted from the\n                            independent efforts of vendors associated with the CAPPS II program, while\n                            seven took place as a result of TSA\xe2\x80\x99s direct involvement.38 Of these seven\n                            transfers, \xef\xac\x81ve were the result of a grant FAA awarded on TSA\xe2\x80\x99s behalf, and\n                            the remaining two occurred during subsequent efforts to test CAPPS II system\n                            components.\n\n                            Two TSA vendors independently obtained airline passenger data in order to prove\n                            the effectiveness of RAE prototypes. Four transfers of airline passenger data\n                            resulted, as follows:\n\n                                 \xe2\x80\xa2 \t In June 2002, Ascent Technology, Inc. received data on Delta Air Line\n                                     passengers.\n                                 \xe2\x80\xa2 \t In mid-2002, HNC Software, Inc. received data on Continental Airlines,\n                                     Frontier Airlines, and America West Airlines passengers from the\n                                     SHARES reservation system.\n                                 \xe2\x80\xa2 \t In mid-2002, HNC received data on JetBlue passengers from Acxiom.\n                                 \xe2\x80\xa2 \t In mid-2002, HNC received data on passengers from various airlines\n                                     through its E-Tickets system.\n\n                            TSA, through the FAA, also awarded a grant to Airline Automation, Inc., to\n                            furnish the RAE vendors with airline passenger data for prototype demonstrations.\n                            Five transfers of airline passenger data took place as a result of this grant:\n\n                                 \xe2\x80\xa2 \t In May and June 2002, Ascent received data on American Airlines\n                                     passengers.\n                                 \xe2\x80\xa2 \t In May and June 2002, HNC received data on American passengers.\n\n\n\n38\n     See Appendix E and Appendix F for summary information on these transfers.\n\n\n                                TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data\t     Page 25\n\x0c                                  \xe2\x80\xa2 \t In May and June 2002, Infoglide Software Corporation received data on\n                                      American passengers.\n                                  \xe2\x80\xa2 \t In May and June 2002, Lockheed Martin Corporation received data on\n                                      American passengers.\n                                  \xe2\x80\xa2 \t In June 2002, TSA\xe2\x80\x99s CAPPS II program viewed data on American\n                                      passengers.\n\n                             Later efforts to test both the ADI and RAE components of the system resulted in\n                             additional passenger data sharing:\n\n                                  \xe2\x80\xa2 \t In early 2003, Delta staff inadvertently provided IBM access to its\n                                      passenger data.\n                                  \xe2\x80\xa2 \t In May 2003, TSA received passenger data from Sabre Holdings to test\n                                      CAPPS II.\n\n                             Although the parties to these exchanges did not always execute appropriate\n                             non-disclosure agreements in advance of data transfers, we have not found any\n                             evidence of data disclosures to third parties or misuse of the data. In all but\n                             four cases, we have been assured that data disseminated in association with\n                             these transfers is held in a secure environment or has been destroyed. Citing\n                             pending class action lawsuits, the two \xef\xac\x81rms associated with the four remaining\n                             transfers did not provide related information for our review. As a result, we have\n                             no information on the \xef\xac\x81nal disposition of the airline passenger data that HNC\n                             Software and Ascent Technology independently obtained for RAE prototype\n                             development efforts.\n\n                             TSA directly received airline passenger data in only two of these CAPPS II\n                             development cases.39 Although TSA received data, in neither case did it directly\n                             access any records associated with these data submissions. DOT staff on the\n                             CAPPS II program team did, nonetheless, view passenger data from other\n                             transfers. DOT staff evaluating RAE prototype development efforts viewed\n                             passenger data from one of Airline Automation, Inc.\xe2\x80\x99s transmissions. In this\n                             instance, DOT staff only con\xef\xac\x81rmed previous accounts that the data initially\n                             supplied by AAI was not in a usable format. DOT staff may have also viewed\n                             Delta passenger data in a presentation by one of the prototype vendors.\n\n\n\n\n39\n     TSA directly received airline passenger data in one additional case in connection with CAPPS improvement.\n\n\nPage 26\t                        TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data\n\x0c                         Risk Assessment Engine Prototype Vendors\n\n                         On March 8, 2002, the FAA issued a solicitation for white papers from software\n                         developers to address solutions for the risk assessment component of CAPPS II,\n                         the RAE.40 This request for white papers targeted the identi\xef\xac\x81cation of software\n                         capable of delivering a substantial improvement in risk assessments using\n                         passenger data. Among other matters, the solicitation required that applicants\n                         submitting white papers \xe2\x80\x9cdiscuss and demonstrate [their] ability to link with\n                         airline computer reservation systems and extract PNRs for risk assessment.\xe2\x80\x9d41\n\n                         Approximately 30 \xef\xac\x81rms responded with white papers. On April 1, 2002, a\n                         proposal evaluation team af\xef\xac\x81liated with CAPPS II selected four vendors to\n                         submit detailed proposals for the development and evaluation of their proposed\n                         prototypes. The four \xef\xac\x81rms selected were: Ascent Technology, Inc.; HNC\n                         Software, Inc.; Infoglide Software Corporation; and the Lockheed Martin\n                         Corporation. In May 2002, the FAA signed cooperative agreements with each\n                         company on TSA\xe2\x80\x99s behalf.\n\n                         These cooperative agreements established a 60-day performance period for the\n                         vendors to establish their proofs of concept.42 The agreements bound the vendors\n                         to deliver risk assessment prototypes for preliminary testing. Operating with\n                         government support and guidance, each vendor was asked to create a working\n                         prototype for the CAPPS II team to test and evaluate. The agreements stipulated\n                         that software applications developed to support CAPPS II risk assessment\n                         functions meet \xe2\x80\x9cappropriate network security levels,\xe2\x80\x9d but did not place any\n                         restrictions on the use or disclosure of sensitive personal information.\n\n                         In-depth testing of the feasibility and effectiveness of these prototypes required\n                         the use of authentic data corresponding to real people. This \xe2\x80\x9creal\xe2\x80\x9d data was\n                         useful in RAE prototype testing for two reasons. First, such data was important to\n                         assess whether the public database linkages underpinning the various prototypes\n                         were viable. Passenger records on \xef\xac\x81ctitious individuals would not have matched\n                         to information in public databases and could not establish the viability of a\n                         prototype\xe2\x80\x99s interface with public data. Second, it was useful to the CAPPS\n                         II team to determine whether a prototype system could effectively process\n\n\n40\n   This solicitation appeared as a Broad Agency Announcement under the title \xe2\x80\x9cAnnouncement for Submission of White \n\nPapers for CAPPS II Software Evaluation.\xe2\x80\x9d Broad Agency Announcements articulate, in general terms, an agency\xe2\x80\x99s research \n\ngoals in a particular area and solicit quali\xef\xac\x81ed respondents interested in pursuing future funding awards in that area. \n\n41\n   Ibid., 2.\n\n42\n   A proof of concept demonstrates the feasibility of an approach to solve a given problem.\n\n\n\n                             TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data                  Page 27\n\x0c          authentic records from public databases with all of their associated anomalies and\n          inconsistencies. This key system capability could not be evaluated without data\n          on real individuals.\n\n          While the four vendors were initially selected in part for their ability to link with\n          reservations systems and to extract PNR, their cooperative agreements with the\n          FAA did not assign responsibility for obtaining passenger data. The CAPPS II\n          program staff sought a uniform set of PNR data to test each of the vendors against\n          a common standard. During the same period, two of the RAE prototype vendors\n          \xe2\x80\x93 Ascent and HNC \xe2\x80\x93 accessed airline passenger data without TSA coordination or\n          assistance.\n\n          Ascent accessed PNRs from Delta\xe2\x80\x99s reservation system in early June 2002,\n          during the development of its RAE prototype. As suggested in Ascent\xe2\x80\x99s RAE\n          development proposal, these PNRs may have corresponded to \xef\xac\x82ights departing\n          from Boston Logan International Airport in Massachusetts. Citing ongoing\n          litigation related to its work for TSA, counsel for Ascent has advised that the \xef\xac\x81rm\n          cannot release any further information on the PNR data it received from Delta.\n\n          Ascent reported to us that it \xe2\x80\x9cnever accessed or retrieved data by individual\n          identi\xef\xac\x81er\xe2\x80\x9d and that the data was stored in a \xe2\x80\x9cpassword-protected environment.\xe2\x80\x9d\n          Ascent further said that access to the passenger data was limited to employees\n          working on the \xef\xac\x81rm\xe2\x80\x99s RAE prototype development efforts. Some evidence\n          suggests the possibility, however, that these Delta passenger records were also\n          viewed by CAPPS II program staff. According to a written evaluation of Ascent\xe2\x80\x99s\n          prototype, the \xef\xac\x81rm \xe2\x80\x9cdemonstrated real live feed of PNR\xe2\x80\x9d to prototype evaluators\n          from the CAPPS II team. However, we were unable to con\xef\xac\x81rm that the records\n          used for Ascent\xe2\x80\x99s demonstration were records corresponding to actual passengers,\n          or that they corresponded to Delta passengers in particular.\n\n          HNC Software obtained a more varied set of PNR data for prototype testing\n          than the other vendors. In its \xef\xac\x81nal report, HNC Software reported independently\n          obtaining airline passenger data from at least four airlines. During the course of\n          its cooperative agreement performance period, HNC received airline passenger\n          data from three sources: the SHARES reservation system, Acxiom, and HNC\xe2\x80\x99s\n          own E-Ticket operations. HNC\xe2\x80\x99s collaboration with SHARES netted it passenger\n          data from Continental Airlines, Frontier Airlines, and America West Airlines\n          corresponding to \xef\xac\x82ights between June 20 and July 3, 2002. In total, HNC\n          accessed 787,081 Continental PNRs, 70,523 Frontier PNRs, and 589,515 America\n\n\n\n\nPage 28      TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data\n\x0c                            West PNRs through the SHARES system.43 For its part, Acxiom furnished HNC\n                            Software with 2,725,352 JetBlue PNRs. These records corresponded to JetBlue\n                            passengers who \xef\xac\x82ew between January 13 and September 5, 2002. Finally, HNC\n                            E-Tickets provided HNC\xe2\x80\x99s RAE prototype development team with 400,000 PNRs\n                            from \xe2\x80\x9cvarious\xe2\x80\x9d airlines for testing purposes. According to HNC\xe2\x80\x99s \xef\xac\x81nal report,\n                            these passenger records came from \xef\xac\x82ights during the June 20 to June 25, 2002,\n                            time frame.\n\n                            Because of three pending class action lawsuits on work related to TSA, the\n                            current owner of HNC Software, FairIsaac, would not provide information for\n                            our review. As a result, we were unable to determine to which airlines the HNC\n                            E-Ticket PNRs corresponded. For the same reason, we could not determine how\n                            many individual passengers were associated with the PNRs that HNC used in its\n                            prototype development and testing. Questions also remain on the \xef\xac\x81nal disposition\n                            of this data.\n\n                            Infoglide reports that it did not independently access PNR data. According to\n                            a MITRE employee monitoring Infoglide\xe2\x80\x99s progress in prototype development,\n                            however, it had 13 million PNRs from WorldSpan, a \xef\xac\x81rm that manages travel\n                            data. Nonetheless, Infoglide reported to us that it never received real PNRs from\n                            WorldSpan. Instead, according to Infoglide, the \xef\xac\x81rm requested and believes\n                            it received \xe2\x80\x9cmock\xe2\x80\x9d data with fabricated records on \xef\xac\x81ctitious passengers from\n                            WorldSpan. We have not been able to con\xef\xac\x81rm this claim.\n\n                            The \xef\xac\x81nal cooperative agreement recipient, Lockheed Martin, maintains that it did\n                            not use any independently procured airline passenger data in the development or\n                            testing of its RAE prototype. For the purposes of developing and demonstrating\n                            its RAE prototype, Lockheed Martin did use a small demographic data sample\n                            from its partner, commercial data provider ChoicePoint. As this limited data set\n                            did not include any authentic airline data, we did not address it further in our\n                            review.\n\n                            RAE prototype vendors\xe2\x80\x99 independent pursuits of PNRs were not directly overseen\n                            by TSA. TSA did, however, weigh the implementation of sound privacy and\n                            information security practices in its appraisals of vendor performance during its\n                            prototype evaluation process. One of the \xef\xac\x81ve technical factors used to assess the\n                            quality of vendors\xe2\x80\x99 prototypes was their adequacy with respect to privacy and\n\n\n\n43\n     According to HNC Software\xe2\x80\x99s \xef\xac\x81nal report, data from SHARES included frequent \xef\xac\x82ier information and seating data.\n\n\n                                TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data                 Page 29\n\x0c           civil rights, and data con\xef\xac\x81dentiality. Evaluators speci\xef\xac\x81cally considered whether\n           the vendors\xe2\x80\x99 software solutions would:\n\n               \xe2\x80\xa2 \t meet legal requirements related to information privacy and civil rights;\n               \xe2\x80\xa2 \t ensure information security;\n               \xe2\x80\xa2 \t protect against unauthorized access to, use of, or disclosure of \n\n                   information; and \n\n               \xe2\x80\xa2 \t protect individual privacy rights.\n\n           Evaluators\xe2\x80\x99 appraisals on these grounds provide insight into the likely\n           con\xef\xac\x81dentiality and security of the airline passenger data obtained by the RAE\n           prototype vendors. In the \xef\xac\x81nal analysis, the four prototypes\xe2\x80\x99 approaches to\n           privacy and con\xef\xac\x81dentiality were scored on two scales. Overall solutions in this\n           area were rated for the basic quality of the solution and its associated risks. Three\n           of the prototype solutions were rated \xe2\x80\x9cadequate\xe2\x80\x9d on the quality of their solutions\n           with respect to privacy and con\xef\xac\x81dentiality, while one \xef\xac\x81rm\xe2\x80\x99s solution was rated\n           \xe2\x80\x9cstrong.\xe2\x80\x9d In terms of risk, one prototype was adjudged \xe2\x80\x9clow risk,\xe2\x80\x9d two \xe2\x80\x9cmedium\n           risk,\xe2\x80\x9d and one \xe2\x80\x9chigh risk.\xe2\x80\x9d Risk ratings in this context refer to the risks TSA\n           might experience in working with a given vendor to develop a full-scale RAE\n           system for CAPPS II.\n\n           Airline Automation, Inc.\n\n           Airline Automation, Inc. (AAI) is a \xef\xac\x81rm that provides data services to a number of\n           domestic and international air carriers. By 2002, AAI had software applications\n           running on a range of airline reservations systems and operated processes for\n           several systems hosting passenger data for travel agencies.\n\n           AAI said that following the attacks of September 11, 2001, it sought to contribute\n           to improving the aviation security environment and engaged in related discussions\n           with the Federal Bureau of Investigation, Customs Service, and TSA. AAI\n           contact with the CAPPS II executive sponsor and program manager in March\n           2002 was followed by a meeting to discuss the means by which AAI could\n           support CAPPS II development.\n\n           As a product of these discussions, AAI submitted a white paper to the\n           CAPPS II program manager in early April 2002. The AAI white paper offered\n           a solution for providing a data conduit to and from the RAE component. AAI\n           offered to convert the tangle of disparate airline reservations data into a common\n           format for the CAPPS II risk assessment engine to read. To feed information from\n\n\n\nPage 30\t      TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data\n\x0c                         the RAE to the reservations systems, in turn, AAI offered to pair reservations data\n                         with risk assessment information and return the \xe2\x80\x9cenhanced\xe2\x80\x9d data to its source in\n                         its original format.\n\n                         After evaluating AAI\xe2\x80\x99s white paper and a subsequent proposal, the FAA awarded\n                         the \xef\xac\x81rm a research grant of approximately $61,000 on May 31, 2002. Covering a\n                         two-month term, the research grant award itemized several deliverables including\n                         the:\n\n                             \xe2\x80\xa2 \t development of \xe2\x80\x9csecure data access consistent with fundamental security\n                                 and privacy needs;\xe2\x80\x9d\n                             \xe2\x80\xa2 \t certi\xef\xac\x81cation that AAI has legal authorization or licenses for all of the data\n                                 accessed and processed by the prototype systems;\n                             \xe2\x80\xa2 \t development of a detailed plan on security protocols and procedures to\n                                 restrict access to the data and a con\xef\xac\x81dentiality statement;\n                             \xe2\x80\xa2 \t provision of sample airline passenger data with a description of the\n                                 databases, sources, and content; and\n                             \xe2\x80\xa2 \t transfer of aggregated sample airline passenger data received to the RAE\n                                 system component.\n\n                         The CAPPS II program team viewed AAI\xe2\x80\x99s research grant as an opportunity to\n                         enlist the \xef\xac\x81rm in the effort to furnish PNR data for RAE prototype testing. By the\n                         date of the AAI research grant award, the FAA had signed cooperative agreements\n                         with all four of the RAE prototype vendors. With AAI\xe2\x80\x99s parallel grant award, the\n                         \xef\xac\x81rm\xe2\x80\x99s aggregated sample airline passenger data could be distributed to each of the\n                         four vendors. Using AAI\xe2\x80\x99s data set, the CAPPS II program team could measure\n                         the performance of the RAE prototypes in processing a uniform set of data.\n\n                         After AAI\xe2\x80\x99s proposal received a favorable evaluation from the FAA research\n                         grants staff, the CAPPS II program manager appealed to two airlines to use\n                         their passenger data for CAPPS II development. On May 15, 2002, the CAPPS\n                         II program manager drafted a memorandum to Continental requesting that the\n                         airline furnish TSA and its RAE prototype vendors with PNRs through TSA\xe2\x80\x99s\n                         grantee, AAI. Five days later, the program manager sent a similar request to\n                         American soliciting PNR data through AAI.\n\n                         In apparent anticipation of PNR data transfer, both American and Continental\n                         signed non-disclosure agreements with TSA in late May 2002.44 While there is no\n\n44\n American signed a non-disclosure agreement with TSA on May 20, 2002. Continental signed a non-disclosure agreement\nwith TSA eight days later on May 28, 2002.\n\n\n                            TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data\t              Page 31\n\x0c          evidence that Continental ever provided airline passenger data in furtherance of\n          its non-disclosure agreement, American authorized AAI to provide its passenger\n          data to TSA for \xe2\x80\x9ctesting CAPPS II programming\xe2\x80\x9d on May 22, 2002. American\xe2\x80\x99s\n          e-mail communicating authorization to provide passenger data for CAPPS II did\n          not expressly provide for the release of data to any party other than TSA.\n\n          On May 24, 2002, AAI sent one compact disc (CD) with an indeterminate\n          quantity of American passenger data directly to each of the four RAE prototype\n          vendors. AAI obtained the data on the CDs from the Sabre reservations system,\n          which hosts reservations for American, among other airlines.\n\n          AAI sent these CDs seven days before FAA awarded the \xef\xac\x81rm a research grant,\n          and weeks before it signed non-disclosure agreements with the recipients. Due\n          to the con\xef\xac\x81guration of the airline passenger data on the CDs, the RAE prototype\n          vendors complained that they could not effectively open, access, or interpret the\n          records. At least two RAE prototype evaluators on the CAPPS II team viewed\n          data from the CDs and con\xef\xac\x81rmed that the data supplied by AAI in this \xef\xac\x81rst\n          instance was not in a usable format.\n\n          In mid-June 2002, AAI made another attempt to transmit PNRs to the RAE\n          prototype vendors. The \xef\xac\x81rm provided TSA and the RAE vendors with passwords\n          to access airline passenger data uploaded onto a \xef\xac\x81le transfer protocol (FTP)\n          server. On June 17, 2002, AAI placed approximately 500,000 American\n          passenger records on the server. On the same day, two of the RAE prototype\n          vendors entered into non-disclosure and con\xef\xac\x81dentiality agreements with AAI.\n          These agreements stipulated to basic data security safeguards and barred data\n          disclosure to third parties without the execution of another non-disclosure\n          agreement. The non-disclosure agreements also required the vendors to limit the\n          internal distribution of the data to those employees with a \xe2\x80\x9cneed to know\xe2\x80\x9d and\n          restricted data use to analysis and data assessment work for the FAA. Finally, the\n          agreements mandated the return or destruction of all related data and information\n          within 10 days of the end of the vendors\xe2\x80\x99 related work.\n\n          AAI did not sign non-disclosure agreements with the two other RAE prototype\n          vendors, Infoglide and HNC Software, until June 25, 2002, seven days after these\n          two vendors received passwords to access AAI\xe2\x80\x99s airline data. Although the non-\n          disclosure agreements were not signed by AAI until June 25th, Infoglide and HNC\n          Software had signed the agreements before they received access to AAI\xe2\x80\x99s data.\n          As signatories of non-disclosure agreements, both of these vendors were bound\n\n\n\n\nPage 32      TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data\n\x0c                             to maintain the con\xef\xac\x81dentiality of passenger data during this interim. Neither \xef\xac\x81rm\n                             inappropriately used or disclosed the data it may have accessed at the time.\n\n                             Certain data elements that TSA deemed important to RAE prototype development\n                             and testing were absent from the passenger information that AAI had posted\n                             to the FTP site on June 17, 2002. In particular, TSA requested that additional\n                             information useful in authenticating identity and data important to risk scoring\n                             be included with the airline passenger data. After consultations to clarify the\n                             additional information that TSA wished to have included in the data submissions\n                             to the RAE prototype vendors, AAI transmitted an e-mail with sample records.\n                             The e-mail, which included an attachment with approximately 10,000 American\n                             PNRs, was sent to TSA and each of the four vendors on June 27, 2002. According\n                             to AAI, its copy of the e-mail was automatically returned to AAI unopened,\n                             because it was too large for the agency\xe2\x80\x99s e-mail system to process.\n\n                             On June 28 and 29, 2002, AAI loaded an additional 1,331,640 American PNRs to\n                             the FTP server. These records corresponded to the period from\n                             June 22 to June 29, 2002, and included passengers\xe2\x80\x99 full name, itinerary, phone\n                             number, e-mail address, and credit card number when available.\n\n                             Passenger data provided by AAI were used differently by each of the four RAE\n                             vendors. Ascent reported that it used only a subset of about 900,000 of the\n                             records that it received from AAI for RAE prototype demonstration purposes.\n                             The \xef\xac\x81rm also said that it did not access or retrieve or match the data by individual\n                             identi\xef\xac\x81er. With one exception, access to the records was limited to Ascent\n                             employees connected to the project. During Ascent\xe2\x80\x99s \xef\xac\x81nal presentation to the\n                             CAPPS II team in late July 2002, the \xef\xac\x81rm included American passenger data in\n                             sample RAE system display screens. Ascent will not disclose information about\n                             the \xef\xac\x81nal disposition of this data.\n\n                             HNC applied the data it received from AAI to the adjustment of its passenger risk\n                             assessment scoring scheme and RAE prototype testing. According to the vendor\xe2\x80\x99s\n                             \xef\xac\x81nal report, it used 1,302,468 of the PNRs from AAI for these purposes. The\n                             more than 1.3 million American PNRs were supplied to HNC\xe2\x80\x99s partner, Acxiom,\n                             and matched to demographic information in Acxiom\xe2\x80\x99s commercial databases.45\n                             Acxiom, in turn, transmitted the matched records back to HNC, which used the\n                             passengers\xe2\x80\x99 ampli\xef\xac\x81ed demographic information to develop risk ratings. Counsel\n\n\n\n45\n     HNC\xe2\x80\x99s non-disclosure agreement with AAI listed Acxiom as an approved third party, eligible for receipt of passenger data.\n\n\n                                 TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data                    Page 33\n\x0c          for Fair Isaac, the \xef\xac\x81rm that now owns HNC, advised TSA that HNC had deleted\n          the data it received from AAI.\n\n          Infoglide used the American PNRs it received from AAI in a limited fashion. The\n          company\xe2\x80\x99s prototype development team evaluated the completeness of the \xef\xac\x81elds\n          within the data set it received and made determinations about what data elements\n          it could effectively use in passenger risk assessment. Infoglide did not use data\n          from AAI to test its RAE prototype. After the expiration of its cooperative\n          agreement, Infoglide returned PNR data to AAI and attempted to destroy all\n          copies of it. Infoglide has reported that a copy of the AAI data was later found on\n          a CD. According to the \xef\xac\x81rm, this data \xe2\x80\x9cis being maintained in a secure place.\xe2\x80\x9d\n\n          Lockheed Martin used a subset of the data it received from AAI in the\n          performance of its RAE testing. Lockheed Martin formatted approximately\n          32,000 of the American PNRs and used them for prototype testing in an off-line\n          setting. In July 2002, Lockheed Martin demonstrated its RAE prototype to TSA\n          with about 50 of the formatted records. After the conclusion of its cooperative\n          agreement, Lockheed Martin destroyed media containing the original American\n          PNRs that it had received from AAI. Nevertheless, Lockheed Martin has retained\n          copies of the approximately 32,000 PNRs it formatted. The company maintains\n          that access to these records is \xe2\x80\x9cstrictly controlled\xe2\x80\x9d and told us that it noti\xef\xac\x81ed AAI\n          of their status.\n\n          CAPPS II program staff maintained that TSA did not access passenger data on\n          the FTP site at any point. This account is supported by AAI, which reported\n          that TSA\xe2\x80\x99s password to access the FTP site was never used. At least two RAE\n          prototype evaluators viewed the passenger data AAI initially supplied by CD.\n          These staff members did not retain the data and only viewed it at a remote\n          location. Other of\xef\xac\x81cials involved in CAPPS II development viewed airline\n          passenger data that was displayed in prototype demonstrations performed for\n          the Deputy Secretary of Transportation in late July 2002. An audience member\n          witnessing these presentations recalled that attendees were required to sign non-\n          disclosure agreements.\n\n          In late July 2002, AAI requested a one-month extension of its research grant at\n          no cost to the government. As the basis for this extension, AAI stated that the\n          DOD had requested that it provide Torch Concepts with airline reservations data.\n          Several days later, the FAA approved AAI\xe2\x80\x99s one-month extension and set the\n          research grant completion date for August 29, 2002. Despite these preliminary\n          efforts, according to both AAI and Torch Concepts, no airline passenger data was\n\n\n\nPage 34      TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data\n\x0c                            exchanged during the grant extension period. AAI submitted its \xef\xac\x81nal project\n                            report for its FAA research grant on September 30, 2002.\n\n                            In addition to supplying passenger information to RAE prototype developers, AAI\n                            made a bid to be the CAPPS II ADI contractor. As the concept behind the ADI\n                            component of the CAPPS II program matured, TSA released an announcement\n                            requesting contact information from potential offerors on\n                            June 20, 2002. AAI provided TSA information as an interested potential offeror\n                            and later submitted a proposal. After submitting its proposal, on July 18, 2002,\n                            AAI received authorization from American to use the airline\xe2\x80\x99s PNRs in the\n                            process of ADI development and testing. TSA\xe2\x80\x99s evaluation of AAI\xe2\x80\x99s proposal,\n                            however, did not result in an award; another proposal was selected.46 As a result,\n                            AAI did not use American passenger data for ADI development and testing.\n\n                            Airline Data Interface Testing\n\n                            On December 5, 2002, TSA awarded IBM a contract for an ADI solution for\n                            CAPPS II. The ADI\xe2\x80\x99s function was to extract, process, transfer, and load\n                            reservations and travel agency data and pass it to the CAPPS II risk assessment\n                            component. Once the RAE processed passenger risk assessment scores, the ADI\n                            was to transmit the scores to the airlines.\n\n                            TSA\xe2\x80\x99s contract with IBM included certain privacy and con\xef\xac\x81dentiality safeguards.\n                            According to the contract, data in the ADI system was to be regarded by IBM\n                            as sensitive but unclassi\xef\xac\x81ed information and to be shared exclusively on a need-\n                            to-know basis. The contract also required that IBM provide for a data system\n                            meeting security and privacy needs and develop a detailed plan outlining data\n                            security protocols and procedures.\n\n                            Access to airline passenger data was an important requirement for testing the ADI.\n                            Prior to the contract award, IBM and TSA engaged in discussions about how IBM\n                            would be provided access rights to passenger data. An early draft of the contract\n                            indicated that IBM was responsible for obtaining passenger data on its own. The\n                            \xef\xac\x81nal contract, however, speci\xef\xac\x81ed that it was the government\xe2\x80\x99s responsibility to\n                            provide access and rights to \xe2\x80\x9cPNR and other related data sources and/or records\n                            accessed and processed by the ADI system\xe2\x80\xa6\xe2\x80\x9d\n\n\n\n\n46\n     TSA\xe2\x80\x99s Technical Evaluation Panel selected IBM\xe2\x80\x99s proposal for ADI development on July 26, 2002.\n\n\n                                TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data     Page 35\n\x0c                          In December 2002, TSA and Delta of\xef\xac\x81cials met to discuss the airline\xe2\x80\x99s potential\n                          role in providing test data. A TSA of\xef\xac\x81cial reported, and Delta of\xef\xac\x81cials con\xef\xac\x81rmed,\n                          that Delta was agreeable to working with TSA if: TSA issued a security directive\n                          requiring Delta to give access to PNRs; TSA and Delta entered into an MOU\n                          governing use and retention of the data; and TSA\xe2\x80\x99s CAPPS II development\n                          contractors signed con\xef\xac\x81dentiality agreements regarding the data.\n\n                          Shortly following the IBM contract award, TSA staff contemplated the use of a\n                          security directive to mandate PNR data for testing, and coordinated with Delta\n                          to develop a draft MOU. In late February 2003, an of\xef\xac\x81cial at Delta Technology\n                          mistakenly thought that TSA and Delta\xe2\x80\x99s attorneys had agreed on a \xef\xac\x81nal security\n                          directive ordering the airline to provide passenger data. As a result, Delta opened\n                          up a \xe2\x80\x9creal time\xe2\x80\x9d connection between IBM\xe2\x80\x99s system and a portion of Delta\xe2\x80\x99s airline\n                          reservations system over a secure virtual private network. Delta estimated that\n                          fewer than 1,000 Delta passenger records were transferred to IBM and Infoglide\n                          between February 27 and March 3, 2003. The records corresponded to Delta\n                          reservations system records that were updated or modi\xef\xac\x81ed between those dates,\n                          and were limited to records for passengers on \xef\xac\x82ights with an origin or destination\n                          of Birmingham International Airport in Alabama.47\n\n                          On March 3, 2003, a Delta Technology of\xef\xac\x81cial instructed IBM via e-mail to delete\n                          all transmitted data, including all copies and derivations of that data. The Delta\n                          Technology of\xef\xac\x81cial further said that no data could be shared until Delta received\n                          an order from TSA compelling it to share the data and an MOU governing the use\n                          of the information. On the same day, an IBM representative instructed the IBM\n                          and Infoglide development teams to delete all Delta passenger data that they had\n                          received. Later that day, IBM con\xef\xac\x81rmed that all of the data had been deleted.\n                          IBM advised that it did not access or retrieve any of these passenger records by\n                          individual identi\xef\xac\x81er. Infoglide said that it never received or accessed passenger\n                          data from Delta.\n\n                          Delta of\xef\xac\x81cials said that a pre-existing non-disclosure agreement with IBM\n                          protected the con\xef\xac\x81dentiality of the passenger data that the airline transferred in\n                          February and March 2003.\n\n\n\n\n47\n  In the past, Delta asserted to TSA that the real passenger records that it had provided to IBM and Infoglide were mock\nrecords. TSA reported that, as of December 2004, Delta had not revised its statement to TSA on this point.\n\n\nPage 36                       TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data\n\x0c                          Sabre Holdings\n\n                          Sabre Holdings is a company with businesses that serve travelers, corporations,\n                          travel agents, and travel suppliers around the world. In May 2003, the TSA\n                          entity managing CAPPS II at the time, the Of\xef\xac\x81ce of National Risk Assessment\n                          (ONRA), received approximately one million airline passenger records from\n                          Sabre. However, ONRA returned them to Sabre in September 2003, never having\n                          accessed or shared the data.\n\n                          In the spring of 2003, ONRA contacted Sabre. ONRA had committed to provide\n                          airline reservations and travel agency system data to its CAPPS II contractors\n                          in February 2003 and its communications with Sabre were an attempt to follow\n                          through on that commitment. In a May 9, 2003, letter, ONRA asked that\n                          Sabre provide it with airline passenger data to complete CAPPS II program\n                          testing. ONRA said that any passenger data that ONRA received would be used\n                          exclusively for CAPPS II design, development, and testing purposes, and would\n                          not be used for production processing or be shared outside the program.\n\n                          In anticipation of the receipt of PNRs from Sabre, ONRA\xe2\x80\x99s privacy of\xef\xac\x81cer began\n                          coordinating with contractors to draft a privacy policy to govern use of the data.\n                          Written speci\xef\xac\x81cally for data from Sabre, the draft policy addressed data access,\n                          use, and retention.\n\n                          Throughout May 2003, TSA attorneys, ONRA staff, and technical experts\n                          communicated regarding technical aspects of the system testing and applicability\n                          of the Privacy Act. TSA\xe2\x80\x99s main concern was whether individuals\xe2\x80\x99 records would\n                          be retrieved during testing. Based on an understanding that TSA would be testing\n                          the ef\xef\xac\x81cacy of certain aspects of the system and not making determinations about\n                          individuals or retrieving records by passenger name, TSA Of\xef\xac\x81ce of Chief Counsel\n                          (OCC) staff advised that the Privacy Act did not apply to intended data uses.\n                          OCC advised, however, that record retrieval based on a person\xe2\x80\x99s name rather than\n                          random retrieval based on broad categories like date or \xef\xac\x82ight would trigger the\n                          Privacy Act.\n\n                          Sabre sent a CD containing PNR data to ONRA on May 16, 2003. This CD\n                          contained approximately one million airline passenger records. It is unclear\n                          to which airlines that data corresponded.48 According to Sabre representatives,\n\n\n48\n  Sabre Holdings representatives reported that data on the CD likely corresponded to passengers from a number of the more\nthan 400 airlines whose seats can be booked through Sabre.\n\n\n                              TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data                   Page 37\n\x0c                          ONRA did not request speci\xef\xac\x81c data \xef\xac\x81elds. Sabre representatives said that the\n                          data contained airline passengers\xe2\x80\x99 \xef\xac\x81rst and last names, phone numbers, home\n                          addresses, and possibly dates of birth. Sabre representatives also said that the data\n                          was not \xe2\x80\x9cactive\xe2\x80\x9d or \xe2\x80\x9ccurrent\xe2\x80\x9d and it was for only domestic \xef\xac\x82ights.\n\n                          ONRA staff did not immediately review the information on the CD or provide\n                          the CD to its contractors. Instead, ONRA\xe2\x80\x99s privacy of\xef\xac\x81cer locked the CD in a\n                          cabinet pending resolution of all relevant privacy concerns. Sabre representatives\n                          said that they did not intend to allow ONRA to use the CD for CAPPS II system\n                          testing until a new CAPPS II Privacy Act system of records notice was published.\n                          In June or July 2003, Sabre representatives formally noti\xef\xac\x81ed ONRA of its intent\n                          to bar use of the data until this requirement was met. An earlier CAPPS II system\n                          of records notice had received substantial comment and Sabre representatives\n                          requested that they have an opportunity to review the interim notice before\n                          permitting use of the data for CAPPS II.\n\n                          TSA published an Interim Final Privacy Act Notice for CAPPS II on\n                          August 1, 2003.49 Ten days later, ONRA sent Sabre a letter summarizing\n                          certain implications of the notice on CAPPS II system design and testing. After\n                          numerous discussions with TSA about privacy and public relations, in September\n                          2003, Sabre asked that ONRA return its CD. Having never accessed, reviewed, or\n                          transmitted its contents, ONRA complied.\n\n                          During the late spring and summer of 2003, ONRA also contacted WorldSpan\n                          and Galileo about supplying airline passenger data for the CAPPS II effort.50 We\n                          found no evidence that that data was provided to TSA or any of the CAPPS II\n                          contractors by either of these companies in 2003.\n\n          Data Transfer in CAPPS Improvement Effort\n\n                          In May and June 2003, TSA obtained JetBlue passenger data to assist in the\n                          identi\xef\xac\x81cation of changes to the operating passenger pre-screening system. This\n                          data was used to weigh possible modi\xef\xac\x81cations to CAPPS rules. The data has not\n                          been destroyed and remains in TSA\xe2\x80\x99s custody.\n\n\n\n49\n  TSA Interim Final Notice, 68 Fed. Reg. 45265 (Aug. 1, 2003).\n50\n  WorldSpan and Galileo are \xef\xac\x81rms that maintain and distribute electronic travel data through their GDSes. Subscribers\nto these companies\xe2\x80\x99 systems, including numerous travel agencies, receive travel information and booking capabilities for\nairlines, hotels, car rentals, cruises, and other related travel options.\n\n\nPage 38                       TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data\n\x0cCAPPS Improvement\n\nIn April 2003, TSA\xe2\x80\x99s Aviation Operations division formed a Selectee Checkpoint\nProgram Completion Team (SCPC). As part of its mission, the SCPC focused\non evaluating ways to adjust CAPPS selectee rates. This effort was conducted\nindependently of CAPPS II development and within a separate TSA of\xef\xac\x81ce.\n\nIn order to adjust selectee rates, the SCPC team identi\xef\xac\x81ed possible changes to\nexisting CAPPS scoring rules. A series of rule modi\xef\xac\x81cations were then evaluated\nagainst airline passenger data to assess relative impacts on selectee rates. Because\nCAPPS is operated by the airlines, data to make these assessments were not\nreadily available. Accordingly, the SCPC team had to solicit the cooperation of\nairlines to evaluate the likely impact of different CAPPS rule adjustments. In\nMay 2003, the SCPC team leader enlisted the support of American and JetBlue\nfor this purpose.\n\nThe SCPC shared the details of possible changes to the CAPPS rules with\nAmerican. After testing the proposed modi\xef\xac\x81cation to the CAPPS rules against\nits passenger data, American was able to furnish the SCPC with information on\nhow these changes would affect its passenger selectee rates. On the other hand,\naccording to the SCPC team leader, JetBlue lacked the resources to assess the\nimpact of proposed CAPPS changes. Instead, the airline provided passenger data\nto TSA\xe2\x80\x99s SCPC for analysis.\n\nAt TSA\xe2\x80\x99s request, starting in May 2003, JetBlue sent nine e-mail messages to\nmembers of TSA\xe2\x80\x99s SCPC with data on the air carrier\xe2\x80\x99s passengers. The e-mails\nincluded attachments with passenger data presented in spreadsheets. These\nspreadsheets were not password protected and did not restrict access by any other\nmeans.\n\nThe airline provided data for thirty \xef\xac\x82ights with more than 3,900 passengers.\nMost records included \xef\xac\x81elds for \xef\xac\x81rst and last name, PNR number, booking date,\n\xef\xac\x82ight number, \xef\xac\x82ight date, \xef\xac\x82ight origin and destination, and home phone number.\nSome transmissions included passengers\xe2\x80\x99 e-mail addresses and indicated whether\npassengers had been selected for further screening. TSA had not requested\npassenger phone numbers or e-mail addresses for its analysis.\n\nTSA staff used data from a subset of the JetBlue \xef\xac\x82ights to model the prospective\nimpact of CAPPS rules variations under consideration. This model was later\npresented to TSA leadership to assist in determining which CAPPS changes to\n\n\n\n   TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data        Page 39\n\x0c                          adopt. In a memorandum to TSA leadership, the SCPC team leader reported that\n                          these data were saved on two computer hard drives, and were accessible by only\n                          two employees. Data were not accessible via TSA\xe2\x80\x99s network.\n\n                          TSA did not discuss passengers\xe2\x80\x99 data privacy, con\xef\xac\x81dentiality, or security by\n                          TSA in advance of the transfer. Neither TSA nor individual staff working on the\n                          project signed con\xef\xac\x81dentiality or non-disclosure agreements with JetBlue pursuant\n                          to the data exchange. Despite this, TSA did not release or transfer the SCPC\n                          passenger information to another party. Furthermore, TSA states that it did not\n                          access or retrieve any data on any passengers by individual identi\xef\xac\x81er.51 TSA told\n                          us that no other airlines transferred passenger data to TSA for this project.\n\n                          The JetBlue passenger data received by the SCPC has not been returned or\n                          destroyed due to pending FOIA requests. At this time, TSA has not determined\n                          whether the passenger data is responsive to the FOIA requests.52\n\n          Conclusions\n\n                          Although we found no evidence of harm to individual privacy, TSA could\n                          have taken more steps to protect privacy. TSA did not consistently apply\n                          privacy protections in the course of its involvement in airline passenger data\n                          transfers. This inconsistency pertained to TSA\xe2\x80\x99s efforts in acquisitions, contract\n                          enforcement, and internal practice.\n\n                          Although TSA and the FAA, acting on TSA\xe2\x80\x99s behalf, included language guarding\n                          data security and con\xef\xac\x81dentiality of personal information in some acquisition\n                          instruments used in CAPPS II development, they did not do so in all cases. The\n                          May 2002 research grant to AAI and the December 2003 contract with IBM\n                          both included text requiring the funding recipients to implement and report on\n                          data security and data privacy protection efforts. The May 2002 cooperative\n                          agreements signed with the four RAE prototype vendors, however, did not contain\n                          provisions limiting the use or disclosure of personal information.\n\n                          TSA did not completely monitor or enforce adherence to good privacy practices\n                          among the parties involved in passenger data transfers. CAPPS II management\n                          was not acquainted with the details of related airline passenger data exchanges\n\n\n51\n   Department of Homeland Security, Transportation Security Administration, Of\xef\xac\x81ce of Chief Counsel, Report on Passenger \n\nName Record Data Exchanges Involving Projects to Improve Passenger Screening, August 18, 2004, p. 36.\n\n52\n   Ibid., p. 36.\n\n\n\nPage 40                      TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data\n\x0cand, therefore, could not determine whether these transfers were appropriate. \n\nAlthough TSA evaluators of the RAE prototype vendors assessed their \n\nperformance in the area of data security and privacy protection, evaluators did not \n\ntrack the vendors\xe2\x80\x99 independent efforts to obtain passenger data. \n\n\nCAPPS II program staff facilitated the transfer of JetBlue passenger data to Torch \n\nConcepts, but did not keep tabs on the resulting data exchange. \n\nCAPPS II program staff did not follow up on a request for copies of relevant non\n-\ndisclosure agreements, nor did TSA request an accounting of Torch Concepts\xe2\x80\x99\n\nutilization or disposition of the passenger data that it received. \n\n\nThis pattern also characterized TSA\xe2\x80\x99s oversight of the RAE prototype vendors. \n\nTSA did not carefully track vendors\xe2\x80\x99 independent progress in obtaining airline \n\npassenger data to develop, test, and demonstrate their prototype systems. In \n\naddition, the agency neglected to inquire whether airline passenger data used by \n\nthe vendors had been returned or destroyed. \n\n\nIn the case of the data transfer to support CAPPS improvement efforts, TSA\n\nstaff did not follow accepted privacy procedures in obtaining passenger data \n\nfor internal use. First, TSA did not obtain non-disclosure or con\xef\xac\x81dentiality \n\nagreements with JetBlue before receiving airline passenger data in May 2003. \n\nThese agreements could have provided a declaration of data usage and set \n\nimportant restrictions on disclosure. Second, TSA did not ensure that data \n\nsecurity measures were in place during the data transfer. As a result, passenger \n\ndata was transmitted to TSA in unencrypted \xef\xac\x81les without password protection. \n\n\nDespite TSA\xe2\x80\x99s intermittent lack of sound privacy practices enforcement among \n\nits partners and its own staff, only one inappropriate public disclosure of personal \n\ninformation apparently occurred. Torch Concepts\xe2\x80\x99 inadvertent disclosure of \n\nsensitive information associated with a single JetBlue passenger occurred in \n\nbreach of its con\xef\xac\x81dentiality agreement with the data provider, Acxiom. \n\n\nFinally, airline passenger records were not maintained in such a way as to have \n\nrequired TSA to publish a Privacy Act system of records notice. Neither TSA\n\nnor its contractors accessed or retrieved airline passenger records by individually \n\nidentifying particular. As a result, none of the passenger data received or \n\nmaintained by TSA or its proxies may be considered a system of records under the \n\nPrivacy Act.\n\n\n\n\n\n   TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data          Page 41\n\x0c               We recommend that the Assistant Secretary for Transportation Security, in\n               coordination with the Chief Privacy Of\xef\xac\x81cer, as appropriate:\n\n               Recommendation 1: Develop clear protocols for obtaining airline passenger data\n               and facilitating its exchange among other parties.\n\n               Recommendation 2: Ensure privacy and personal data protections are written\n               into acquisition documents where performance may involve the collection,\n               maintenance, use, or dissemination of individually identi\xef\xac\x81able data.\n\n               Recommendation 3: Require \xef\xac\x81nal reporting for acquisitions with intensive\n               data analysis or processing components that addresses data receipt, processing,\n               distribution, utilization, and disposition, as well as attention to data security and\n               privacy.\n\n               Recommendation 4: Require entities performing work for TSA to report to\n               the agency on how they are addressing data security, privacy protections, and\n               con\xef\xac\x81dentiality.\n\n\n\nInformation Disclosure Regarding Airline Passenger Data Transfers\n               Statements TSA of\xef\xac\x81cials made about the agency\xe2\x80\x99s role in passenger data sharing\n               in response to FOIA requests, U.S. Senate testimony, and media inquiries were at\n               times incorrect. The fact that accurate information about data transfers was not\n               immediately disclosed to the public fueled perceptions that TSA was withholding\n               information about its use of airline passenger data.\n\n               FOIA Requests\n\n               In September 2003, TSA received hundreds of electronic and paper FOIA requests\n               soliciting all agency records regarding the accessing or use of JetBlue passenger\n               data that were indexed or maintained under the requester\xe2\x80\x99s name or other\n               identifying information in connection with various security systems. These FOIA\n               requests were prepared using a template available on the American Civil Liberties\n               Union (ACLU) web site.\n\n               In coordination with the TSA FOIA of\xef\xac\x81ce, the agency\xe2\x80\x99s OCC contacted ONRA\n               and asked it to search for relevant documents. On September 25, 2003, ONRA\n\n\n\nPage 42           TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data\n\x0c                          replied that it did not have JetBlue records.53 On that same day, OCC staff wrote\n                          to the CPO that ONRA had no responsive records. Replying to the OCC\xe2\x80\x99s e-\n                          mail, the CPO wrote, \xe2\x80\x9cIs there elsewhere in TSA that we should search?\xe2\x80\x9d OCC\n                          responded, \xe2\x80\x9cThere is no other of\xef\xac\x81ce in TSA that would get PNR data except\n                          ONRA.\xe2\x80\x9d Nonetheless, OCC also consulted with staff from the agency\xe2\x80\x99s CIO to\n                          determine whether they had any JetBlue passenger data.\n\n                          When ONRA and CIO staff reported that neither had records responsive to the\n                          FOIA requests, TSA drafted a response, which is still posted on the agency\xe2\x80\x99s\n                          FOIA reading room web site. The response asserts that TSA does not have\n                          JetBlue Airways passenger data; that response remained on the web site for over a\n                          year.\n\n                          It is standard practice to assign FOIA requests to numerous of\xef\xac\x81ces within the\n                          agency to cast the widest net possible for document collection. We interviewed\n                          FOIA of\xef\xac\x81ce staff on two occasions and reviewed their methods for assembling\n                          documents responsive to FOIA requests. Procedures pertaining to document\n                          collection for FOIA requests require FOIA of\xef\xac\x81ce staff to ask TSA entities that\n                          might reasonably be expected to possess responsive documents to search their\n                          records. Searching for records responsive to FOIA requests is an agency-wide\n                          responsibility. To conduct thorough searches for documents, FOIA of\xef\xac\x81ce staff\n                          often require input from other agency of\xef\xac\x81ces with broad based knowledge of TSA\n                          operations. Although TSA\xe2\x80\x99s Aviation Operations (AVOPS) was later found to\n                          possess JetBlue records, OCC and the FOIA of\xef\xac\x81ce never asked AVOPS to search\n                          its \xef\xac\x81les for documents responsive to these FOIA requests.\n\n                          In September 2003, the ACLU and Electronic Privacy Information Center (EPIC)\n                          sent FOIA requests to TSA for, among other items, records \xe2\x80\x9cregarding access and/\n                          or use of JetBlue Airways \xe2\x80\xa6 passenger data in connection with various security\n                          systems,\xe2\x80\x9d and \xe2\x80\x9cdocuments or materials related to JetBlue Airways Corporation.\xe2\x80\x9d\n                          TSA\xe2\x80\x99s FOIA of\xef\xac\x81ce asked AVOPS to search for responsive records to these FOIA\n                          requests in late September, before reporting on the agency web site that TSA had\n                          no JetBlue Airways passenger data. Documents indicate, however, that TSA\n                          posted the statement that it had no JetBlue Airways passenger data before AVOPS\n                          responded to the ACLU and EPIC FOIA requests. When AVOPS reported to\n                          the FOIA of\xef\xac\x81ce on these requests, it stated that it had \xe2\x80\x9cno records relative to\n                          the request[s].\xe2\x80\x9d The JetBlue passenger records in AVOPS possession were not\n\n53\n  In two separate visits to ONRA, we reviewed records related to PNR data and documentation of attempts to obtain PNR\ndata. We found no evidence of JetBlue or any other airline PNR data at ONRA, except those limited staff records that had\nbeen reported on by the GAO.\n\n                              TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data                    Page 43\n\x0c                          reported to FOIA staff until May 2004.54 When AVOPS provided the JetBlue\n                          passenger records to the FOIA of\xef\xac\x81ce, staff there took precautions not to copy or\n                          distribute them and locked them in the of\xef\xac\x81ce document room, where they remain.\n\n                          In April 2004, Wired News and ACLU sent additional FOIA requests to TSA\n                          asking broadly for any records related to the sharing or acquisition of airline\n                          passenger records. Along with the September requests from the ACLU and\n                          EPIC, these FOIA requests were transferred to DHS\xe2\x80\x99 departmental disclosure\n                          of\xef\xac\x81cer who, as of November 2004, was processing documents for release to the\n                          requesters.\n\n                          We recommend that the Assistant Secretary for Transportation Security, in\n                          coordination with the Chief Privacy Of\xef\xac\x81cer, as appropriate:\n\n                          Recommendation 5: Re-evaluate TSA\xe2\x80\x99s response to FOIA requesters who\n                          solicited information in September 2003 regarding their airline passenger data.\n                          Such a reevaluation should, at minimum, involve the removal or amendment of\n                          the letter posted on TSA\xe2\x80\x99s FOIA reading room web site to re\xef\xac\x82ect the fact that TSA\n                          is in possession of JetBlue passenger data.\n\n                          U.S. Senate Testimony\n\n                          TSA employees assisted in preparing responses to a pre-hearing questionnaire for\n                          the DHS Deputy Secretary\xe2\x80\x99s November 18, 2003, con\xef\xac\x81rmation hearing before\n                          the U.S. Senate Committee on Governmental Affairs.55 One question sought\n                          information about TSA\xe2\x80\x99s role in the transfer of JetBlue passenger information\n                          to Torch Concepts. The November 18, 2003, response to the question stated\n                          that TSA provided assistance \xe2\x80\x9c\xe2\x80\xa6only in the form of an introduction for DOD to\n                          JetBlue Airlines [sic].\xe2\x80\x9d\n\n                          In late November or early December 2003, TSA staff located a July 30, 2002,\n                          memorandum from the CAPPS II program manager to JetBlue\xe2\x80\x99s security director\n                          requesting that the airline provide PNR data to Torch Concepts. Because this\n                          memo contradicted the Deputy Secretary\xe2\x80\x99s November 18, 2003, response to the\n                          Committee on Governmental Affairs, on February 23, 2004, the Deputy Secretary\n                          sent a letter to the Chairman of the Committee amending his prior statement. His\n\n\n54\n These passenger records related to the effort to improve the existing CAPPS program. \n\n55\n At the start of the 109th session of Congress, the U.S. Senate Committee on Governmental Affairs became the Senate \n\nCommittee on Homeland Security and Governmental Affairs.\n\n\n\nPage 44                       TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data\n\x0c                         statement was amended to read, \xe2\x80\x9cIn a July 30, 2002 memorandum, TSA requested\n                         that JetBlue provide archived passenger data to the DOD.\xe2\x80\x9d TSA staff did not\n                         provide a clear explanation as to why this memorandum was not brought to the\n                         Deputy Secretary\xe2\x80\x99s attention before the November 18, 2003, hearing.\n\n                         In another con\xef\xac\x81rmation pre-hearing question, the U.S. Senate Committee on\n                         Governmental Affairs asked whether contractors working on CAPPS II had\n                         used any real world data for testing purposes. The Deputy Secretary\xe2\x80\x99s response\n                         was that \xe2\x80\x9cTSA has not used any PNR data to test any of the functions of\n                         CAPPS II. TSA is using certain information provided by volunteers, many are\n                         DHS employees,\xe2\x80\x9d including senior DHS of\xef\xac\x81cials.56 TSA did use volunteered\n                         information to test CAPPS II; however, PNR data also was used to test some of\n                         the system\xe2\x80\x99s functions.57\n\n                         Government Accountability Of\xef\xac\x81ce and Media Reports\n\n                         In February 2004 testimony before Congress on CAPPS II implementation\n                         challenges, the Government Accountability Of\xef\xac\x81ce (GAO) said, \xe2\x80\x9c\xe2\x80\xa6TSA has only\n                         used 32 simulated passenger records \xe2\x80\x93 created by TSA from the itineraries of its\n                         employees and contractor staff who volunteered to provide the data \xe2\x80\x93 to conduct\n                         [passenger risk assessment] testing.\xe2\x80\x9d58 On this point, Wired News questioned\n                         whether TSA intentionally withheld information from GAO.59 After reviewing\n                         GAO documents relating to the above statement in its testimony and interviewing\n                         TSA employees, we have found no evidence that TSA provided misleading or\n                         inaccurate information to the GAO.\n\n                         As the basis for the above statement in its CAPPS II testimony, GAO relied on\n                         interviews with ONRA staff. Records of meetings between GAO and ONRA staff\n                         show that GAO speci\xef\xac\x81cally asked about ONRA\xe2\x80\x99s access to airline passenger data.\n                         GAO\xe2\x80\x99s questions concentrated on stress tests and systemwide testing for CAPPS\n                         II and not the testing of system prototypes or components. Furthermore, when\n                         asked about ONRA\xe2\x80\x99s relationship with Delta and travel data systems, ONRA staff\n\n\n\n56\n   Pre-hearing questionnaire for the nomination of the DHS Deputy Secretary, November 18, 2003, hearing to the Senate \n\nCommittee on Governmental Affairs, question number 64.\n\n57\n   IBM and Infoglide received PNR data from Delta to test CAPPS II components. In addition, RAE prototype vendors used \n\nPNR data on numerous occasions to demonstrate and test their prototypes.\n\n58\n   Government Accountability Of\xef\xac\x81ce, Computer-Assisted Passenger Prescreening System Faces Signi\xef\xac\x81cant Implementation \n\nChallenges, GAO-04-385, February 2004, p. 17.\n\n59\n   \xe2\x80\x9cMore False Information from TSA,\xe2\x80\x9d Wired News, June 23, 2004.\n\n\n\n                             TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data                 Page 45\n\x0c                            told GAO that Delta had supplied data for testing the CAPPS II ADI component\n                            and that ONRA was in discussions with Sabre about using its data for testing.\n\n                            GAO\xe2\x80\x99s report about CAPPS II testing speci\xef\xac\x81cally referred to demonstrating the\n                            full CAPPS II system. Although partial system testing occurred for a short time\n                            in February 2003, Delta data and prototype testing occurred in mid-2002. Full\n                            CAPPS II system testing never occurred because airline passenger data was not\n                            available.\n\n                            In September 2003, a TSA spokesman told Wired News that CAPPS II had not\n                            been tested on any historical travel data and that only fake passenger data had\n                            been used.60 Wired News also asked a separate TSA spokesman in September\n                            2003 whether TSA\xe2\x80\x99s four contractors had used real passenger records to test and\n                            develop their systems. According to the article, the spokesman denied that four\n                            contractors had used real passenger records and said TSA had only used \xe2\x80\x9cdummy\n                            data.\xe2\x80\x9d61\n\n                            The responses that the TSA spokesmen provided to Wired News were not\n                            accurate. CAPPS II prototypes and components were tested using authentic\n                            passenger data on eleven occasions. Moreover, eight of the cases involved the\n                            CAPPS II program\xe2\x80\x99s RAE prototype vendors.\n\n                            Disclosure of Information to the DHS Privacy Of\xef\xac\x81ce\n\n                            The CPO expressed concern that TSA had not been fully forthcoming in providing\n                            information requested from the agency for the February 20, 2004, Report to the\n                            Public on Events Surrounding JetBlue Data Transfer. We reviewed eight written\n                            requests for information that the CPO sent TSA prior to February 20, 2004, and\n                            reviewed TSA\xe2\x80\x99s responses. We concluded that TSA was promptly responsive\n                            to most of the CPO\xe2\x80\x99s requests. However, in one case, TSA was not promptly\n                            forthcoming with the CPO.\n\n                            We reviewed requests the CPO sent to the following of\xef\xac\x81ces: TSA Public\n                            Affairs; ONRA; the assistant administrator for Policy; the administrator, deputy\n                            administrator and chief of staff; the FOIA of\xef\xac\x81ce; and the Of\xef\xac\x81ce of Chief Counsel\n                            (OCC). The CPO\xe2\x80\x99s requests for information were for documents speci\xef\xac\x81cally\n                            related to the transfer of JetBlue PNRs to DOD subcontractor Torch Concepts. In\n\n\n60\n     \xe2\x80\x9cJetBlue Data to Fuel CAPPS Test,\xe2\x80\x9d Wired News, September 16, 2003.\n61\n     \xe2\x80\x9cMore False Information from TSA,\xe2\x80\x9d Wired News, June 23, 2004.\n\n\nPage 46                        TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data\n\x0c                             requesting information, the CPO expressed a sense of urgency; however, only one\n                             of the eight requests that we reviewed contained a speci\xef\xac\x81c response deadline.62\n\n                             In one case, TSA was not promptly forthcoming in providing documents to\n                             the CPO. In November and December 2003, TSA sought information from its\n                             employees to respond to a letter that the Ranking Member of the U.S. Senate\n                             Judiciary Committee had sent to the DHS Secretary inquiring about TSA\xe2\x80\x99s role\n                             in the JetBlue data transfer to Torch Concepts.63 TSA forwarded a draft response\n                             and eleven supporting documents to DHS for review in January 2004. Although\n                             all of these materials were germane to the CPO\xe2\x80\x99s inquiry, a list of the supporting\n                             documents was not provided by TSA to the CPO until February 17, 2004. The\n                             CPO said that receipt of a list of these documents six weeks after they had been\n                             compiled, and three days before publication of the DHS Privacy Of\xef\xac\x81ce report,\n                             gave the impression that TSA had withheld the documents.\n\n                             The TSA employee who drafted the response letter and compiled the supporting\n                             documents said that, at the time, she believed that the documents in question\n                             had been included in the materials that TSA had provided the CPO on another\n                             occasion. The DHS Privacy Of\xef\xac\x81ce had received these materials earlier, but the\n                             documents had not been furnished by TSA. Instead, the DHS Privacy Of\xef\xac\x81ce\n                             received the documents on February 13, 2004, from headquarters staff at DHS\xe2\x80\x99\n                             Border and Transportation Security directorate. Had TSA provided these\n                             materials to the DHS Privacy Of\xef\xac\x81ce when they became available, the CPO would\n                             have had substantially more time to review them before the DHS Privacy Of\xef\xac\x81ce\xe2\x80\x99s\n                             report was issued. OCC staff reported, however, that TSA did not know when the\n                             DHS Privacy Of\xef\xac\x81ce intended to publish its report.\n\n                             Neither TSA nor the DHS Privacy Of\xef\xac\x81ce had a system to track or locate\n                             documents provided in response to requests of this nature. Since TSA had\n                             provided thousands of pages of documents to the CPO as they became available,\n                             it is likely that the documents associated with the congressional response letter\n                             were overlooked.\n\n                             In addition to these documented requests, the CPO said that she asked TSA\n                             for information about other airline data transfers before her of\xef\xac\x81ce\xe2\x80\x99s report was\n                             released in February 2004. The CPO reports that TSA responded that the JetBlue\n                             matter was unique and suggested that TSA did not have a role in any other airline\n                             data transfers. We have been unable to \xef\xac\x81nd documentation that unequivocally\n\n62\n     See Appendix I for additional details about the CPO\xe2\x80\x99s eight requests to TSA.\n63\n     The letter from Senator Patrick Leahy was dated October 10, 2003.\n\n\n                                 TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data       Page 47\n\x0c          corroborates this account and TSA staff we interviewed do not recall a broad\n          request for information about airline passenger data transfers during that period.\n          TSA responded to a March 2004 request from the CPO for information about\n          other airline passenger data transfers the following month, after gathering relevant\n          documents.\n\n          Conclusions\n\n          These cases illustrate weaknesses and a lack of reliability in the way that TSA\n          processes requests for information. Although we found no evidence of deliberate\n          deception, the evidence of faulty processes is substantial.\n\n          At least three factors contributed to TSA\xe2\x80\x99s shortcomings in its disclosure of\n          information on its role in the transfer of airline passenger data. First, management\n          of the CAPPS II program team had shifted three times since its formation. These\n          management changes included signi\xef\xac\x81cant staff turnover. This, in turn, hampered\n          TSA\xe2\x80\x99s ability to gather and interpret information and documents related to early\n          program developments quickly.\n\n          Second, TSA staff who gathered information for requesters were sometimes\n          provided with inaccurate or misleading information. Relying on his memory of\n          events, the former CAPPS II program manager who wrote JetBlue to request that\n          the airline provide data to Torch Concepts initially said he had only introduced\n          Torch Concepts to JetBlue. In another case, until recently, Delta asserted that\n          the real passenger records that it had provided to IBM and Infoglide were simply\n          mock records.\n\n          Third, TSA did not have systems in place to support effective searches for\n          materials responsive to document requests. In the case of a FOIA request, TSA\n          did not solicit information from all relevant components. In another case, TSA\n          staff were unable to determine what had been provided to the CPO, so important\n          documents were not forwarded in a timely manner.\n\n          TSA\xe2\x80\x99s inadequate performance in disclosing information on its role in the transfer\n          of airline passenger data indicates a need for closer tracking of requests and\n          greater internal accountability for responses. Accordingly, we recommend that\n          the Assistant Secretary for Transportation Security:\n\n\n\n\nPage 48      TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data\n\x0c                         Recommendation 6: Adopt procedures for responding to external and intra-\n                         departmental requests for information that help guarantee a comprehensive,\n                         timely, and reliable response. At minimum, these procedures should include the:\n\n                             \xe2\x80\xa2\t   Designation of a primary point of contact and responsible staff person;\n                             \xe2\x80\xa2\t   Documentation of the scope of the search conducted for each request;\n                             \xe2\x80\xa2\t   Listing of materials provided to the requester; and\n                             \xe2\x80\xa2\t   Issuance of a formal written response indicating that the search for\n                                  related documents and information has concluded.\n\n\nTSA Privacy Focus\n                         Personal privacy issues have commanded attention within TSA since its inception\n                         in November 2001. In the spring of 2002, attorneys with the OCC prepared and\n                         presented analyses of legal issues pertaining to the agency\xe2\x80\x99s collection and use\n                         of data. Early legal analysis detailed, for example, the statutory basis for TSA\xe2\x80\x99s\n                         authority to collect airline passenger data. Contemporary OCC guidance also\n                         addressed questions about the statutory rules regarding the use of particular types\n                         of personal information. OCC staff monitored CAPPS II developments through\n                         regular attendance of weekly program meetings and consulted with program staff.\n\n                         Early CAPPS II development work centered on system conceptualization and the\n                         identi\xef\xac\x81cation of technical solutions to implement the system. As the planning\n                         and basic technical feasibility work drew to a close, CAPPS II program staff\n                         drafted and published an initial system of records notice for the program in\n                         January 2003. This \xef\xac\x81rst broad-scale announcement of the general outline of the\n                         program was performed in concert with outreach efforts to a wide-ranging group\n                         of stakeholders. In January and March 2003, TSA convened stakeholders from\n                         across government and the private and nonpro\xef\xac\x81t sectors to discuss CAPPS II.64\n                         The meetings were called to gather input on how TSA could best address privacy\n                         concerns in structuring CAPPS II.\n\n                         Over the past twenty months, a number of important changes have expanded\n                         the prominence of privacy concerns in the TSA\xe2\x80\x99s operations. In March 2003,\n                         TSA was incorporated into DHS. With a new department came a new privacy\n                         oversight system. Enabling legislation for the department called for hiring a chief\n                         privacy of\xef\xac\x81cer with authority to rule on internal privacy procedures and report\n\n64\n  Attendees included senior executives from the ACLU, American Conservative Union, Center for Democracy and\nTechnology, Eagle Forum, and Potomac Institute for Policy Studies.\n\n\n                            TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data\t                Page 49\n\x0c                           to Congress.65 DHS\xe2\x80\x99 chief privacy of\xef\xac\x81cer, appointed on April 16, 2003, was an\n                           active agent in privacy discussions relating to CAPPS II from mid-2003 forward.\n\n                           Provisions of the E-Government Act requiring agencies to perform PIAs under\n                           a number of circumstances became effective on April 17, 2003. Under most\n                           circumstances, these PIAs are publicly available and offer detailed information\n                           on all new and modi\xef\xac\x81ed systems maintained by federal agencies that include\n                           information on more than ten individuals. Systems with data on foreign nationals\n                           and federal employees are exempt from this requirement.\n\n                           In this new legal and organizational context, TSA released a second CAPPS\n                           II notice. After reviewing public comments on its initial notice, on August 1,\n                           2003, TSA published an Interim Final Notice on CAPPS II.66 Consistent with\n                           an operating environment increasingly sensitive to public concerns regarding\n                           privacy, this second notice provided substantially more detail on system plans and\n                           design.\n\n                           In March 2004, TSA unveiled a plan to support good privacy practice within the\n                           organization. The TSA Assistant Secretary af\xef\xac\x81rmed the agency\xe2\x80\x99s commitment to\n                           privacy by declaring that, \xe2\x80\x9cin carrying out the TSA mission to secure our nation\xe2\x80\x99s\n                           transportation systems, we must respect and protect the privacy rights of all\n                           individuals we serve.\xe2\x80\x9d This \xef\xac\x81ve-point plan included the:\n\n                                \xe2\x80\xa2 \t Implementation of ongoing educational and training programs for all\n                                    employees;\n                                \xe2\x80\xa2 \t Appointment of an external privacy advisory board;\n                                \xe2\x80\xa2 \t Dissemination of a privacy statement speci\xef\xac\x81c to the tasks and\n                                    circumstances at TSA;\n                                \xe2\x80\xa2 \t Enforcement of speci\xef\xac\x81c internal policies and controls on use of data and\n                                    private information; and\n                                \xe2\x80\xa2 \t Hiring of a privacy of\xef\xac\x81cer to oversee compliance and to report on agency\n                                    performance.\n\n                           TSA has successfully implemented three of the \xef\xac\x81ve privacy plan elements. TSA\n                           issued a privacy statement and hired a privacy of\xef\xac\x81cer in March 2004, and is\n                           engaged in the development and delivery of staff training programs. On March\n\n65\n   DHS\xe2\x80\x99 chief privacy of\xef\xac\x81cer is responsible for department-wide compliance with the Privacy Act and for evaluating\nlegislative and regulatory proposals involving collection, use, and disclosure of personal information by the federal\ngovernment.\n66\n   68 Fed. Reg. 45265 (Aug. 1, 2003).\n\n\nPage 50\t                       TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data\n\x0c                            8-12, 2004, TSA conducted a privacy education week with a series of programs\n                            emphasizing the roles and responsibilities of employees in protecting individual\n                            privacy. Additionally, TSA has mandated that all staff members participate in\n                            multimedia training on protection of personal privacy rights. According to TSA,\n                            98% of its headquarters staff and 81% of \xef\xac\x81eld employees had completed a Privacy\n                            Act training program as of early August 2004.67\n\n                            Before testing its new passenger pre-screening system, Secure Flight, TSA opened\n                            information on program testing to public comment. On September 24, 2004, TSA\n                            published in the Federal Register a Secure Flight Privacy Act system of records\n                            notice, a PIA, and a proposed order to airlines to provide PNR data for system\n                            testing.68 These documents describe the data to be used in system testing, the\n                            purpose of the testing, and the types of testing that will occur. They also articulate\n                            TSA\xe2\x80\x99s commitment to implement data security and privacy protections during the\n                            testing process and provide for strict oversight and appropriate personnel training.\n\n                            From the prototype development stage of CAPPS II in mid-2002 to the present,\n                            TSA has evolved with respect to its approach to privacy. This transition is still\n                            under way as the agency weighs the sometimes competing values of security and\n                            privacy in the execution of its critical aviation security function.\n\n                            We recommend that the Assistant Secretary for Transportation Security, in\n                            coordination with the Chief Privacy Of\xef\xac\x81cer, as appropriate:\n\n                            Recommendation 7: Appoint a TSA external privacy advisory board,\n                            as speci\xef\xac\x81ed in TSA\xe2\x80\x99s \xef\xac\x81ve-point plan, to review all agency privacy impact\n                            assessments, and, to provide consultation regarding the scope and methods of\n                            TSA supported data analysis and research involving individually identi\xef\xac\x81able data.\n\n                            Recommendation 8: Develop procedures that will provide a clear process to:\n                            (1) approve the agency\xe2\x80\x99s role in data sharing that involves individually identi\xef\xac\x81able\n                            information; and, (2) identify a particular employee responsible for monitoring\n                            the data security, usage, and \xef\xac\x81nal disposition of each transfer of individually\n                            identi\xef\xac\x81able information in which TSA becomes involved.\n\n\n\n\n67\n     TSA has approximately 53,000 employees.\n\n68\n     69 Fed. Reg. 57342-57348 and 57352-57355 (Sept. 24, 2004).\n\n\n\n                                TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data         Page 51\n\x0cAppendix A\nManagement Comments\n\n\n\n\nPage 52               TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data\n\x0c                                                                Appendix A\n                                                                Management Comments\n\n\n\n\nTSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data             Page 53\n\n\x0cAppendix A\nManagement Comments\n\n\n\n\nPage 54               TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data\n\x0c                                                                Appendix A\n                                                                Management Comments\n\n\n\n\nTSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data             Page 55\n\n\x0cAppendix A\nManagement Comments\n\n\n\n\nPage 56               TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data\n\x0c                                                                Appendix A\n                                                                Management Comments\n\n\n\n\nTSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data             Page 57\n\n\x0cAppendix A\nManagement Comments\n\n\n\n\nPage 58               TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data\n\x0c                                            Appendix B\n                                            OIG Evaluation of Management Comments\n\n\n\nWe evaluated TSA\xe2\x80\x99s written comments to the draft report and made changes, as\nappropriate, to the \xef\xac\x81nal version. Below is a summary of our analysis of TSA\xe2\x80\x99s\nresponse to the recommendations contained in the draft report.\n\nRecommendation 1: Develop clear protocols for obtaining airline passenger data\nand facilitating its exchange among other parties.\n\nTSA Response: TSA concurs with this recommendation and writes that it has\ntaken steps to address it. Citing its efforts related to the Secure Flight passenger\npre-screening system as evidence of progress in this area, TSA points to its\npublished PIA and Privacy Act system of records notice that indicate how test\ndata is to be transferred and outline safeguards TSA will use to protect this data\nfrom unauthorized use or disclosure. In its remarks, TSA also highlights plans\nto prepare a Concept of Operations document stipulating how PNR data is to\nbe obtained for Secure Flight, as well as related Operational Procedures. In\naddition, TSA discusses plans to execute MOUs that clearly de\xef\xac\x81ne roles and\nresponsibilities with other agencies and departments that will handle data in\nthe development and implementation of Secure Flight. Importantly, TSA also\nreports that it has instituted internal procedures covering the receipt, handling and\ntransmission of data sent to the agency.\n\nOIG Evaluation: TSA has pursued a more formalized process for obtaining\nand sharing data in its efforts regarding the Secure Flight system than in the\npast. To determine whether TSA has developed clear protocols for obtaining and\nexchanging airline passenger data, however, we will need to review the agency\xe2\x80\x99s\nrelated internal procedures. Recommendation 1 is resolved \xe2\x80\x93 open.\n\nRecommendation 2: Ensure privacy and personal data protections are written\ninto acquisition documents where performance may involve the collection,\nmaintenance, use, or dissemination of individually identi\xef\xac\x81able data.\n\nTSA Response: TSA concurs with this recommendation. TSA states that it\nnow includes clauses on privacy and personal data protection in all contracts and\nagreements in which privacy and personal data are involved.\n\nOIG Evaluation: The incorporation of clauses on privacy and personal\ndata protection into applicable contracts and agreements is responsive to this\nrecommendation. Recommendation 2 is closed.\n\n\n\n\n   TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data          Page 59\n\x0cAppendix B\nOIG Evaluation of Management Comments\n\n\n\n                   Recommendation 3: Require \xef\xac\x81nal reporting for acquisitions with intensive\n                   data analysis or processing components that addresses data receipt, processing,\n                   distribution, utilization, and disposition, as well as attention to data security and\n                   privacy.\n\n                   TSA Response: TSA concurs with this recommendation and has committed to\n                   ensure that \xef\xac\x81nal reporting of this kind occurs. In addition, TSA is considering\n                   revisions to standard acquisitions language to require periodic and \xef\xac\x81nal reporting\n                   for data-intensive contracts.\n\n                   OIG Evaluation: TSA\xe2\x80\x99s commitment to ensure \xef\xac\x81nal reporting on data receipt,\n                   processing, utilization, and disposition, as well as data security and privacy in\n                   acquisitions is promising. The revision of standard contract language to require\n                   periodic and \xef\xac\x81nal reporting for data-intensive contracts will be fully responsive to\n                   this recommendation. Recommendation 3 is resolved \xe2\x80\x93 open.\n\n                   Recommendation 4: Require entities performing work for TSA to report to\n                   the agency on how they are addressing data security, privacy protections, and\n                   con\xef\xac\x81dentiality.\n\n                   TSA Response: TSA concurs with this recommendation and has taken steps to\n                   implement it. TSA states that, for agency acquisitions, it will require compliance\n                   with data security, privacy protection, and con\xef\xac\x81dentiality policies, procedures, and\n                   reporting set forth by the DHS and TSA Privacy Of\xef\xac\x81ces. TSA also expresses its\n                   intent to evaluate offerors\xe2\x80\x99 data security and privacy protections in the pre-award\n                   phase of data-intensive contracts.\n\n                   OIG Evaluation: TSA\xe2\x80\x99s commitment to evaluate offerors\xe2\x80\x99 plans for\n                   ensuring data security and privacy protection is partially responsive to this\n                   recommendation. Coupled with this, the planned revision of standard contract\n                   language described in the agency\xe2\x80\x99s response to the previous recommendation\n                   would be fully responsive to this one. Recommendation 4 is resolved \xe2\x80\x93 open.\n\n                   Recommendation 5: Re-evaluate TSA\xe2\x80\x99s response to FOIA requesters who\n                   solicited information in September 2003 regarding their airline passenger data.\n                   Such a reevaluation should, at minimum, involve the removal or amendment of\n                   the letter posted on TSA\xe2\x80\x99s FOIA reading room web site to re\xef\xac\x82ect the fact that TSA\n                   is in possession of JetBlue passenger data.\n\n\n\n\nPage 60               TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data\n\x0c                                            Appendix B\n                                            OIG Evaluation of Management Comments\n\n\n\nTSA Response: TSA believes that it fully complied with its obligation to conduct\na reasonable search for records responsive to FOIA requests submitted using a\ntemplate on the ACLU web site. TSA also reports that it has removed the letter\nasserting that the agency had no JetBlue passenger data from its FOIA reading\nroom website.\n\nOIG Evaluation: We modi\xef\xac\x81ed this recommendation in response to comments\nfrom TSA and the DHS Privacy Of\xef\xac\x81ce. TSA\xe2\x80\x99s removal of the letter in\nquestion from its FOIA reading room web site is an acceptable response to this\nrecommendation in its current form. Recommendation 5 is closed.\n\nRecommendation 6: Adopt procedures for responding to external and intra-\ndepartmental requests for information that help guarantee a comprehensive,\ntimely, and reliable response. At minimum, these procedures should include the:\n\n    \xe2\x80\xa2\t   Designation of a primary point of contact and responsible staff person;\n    \xe2\x80\xa2\t   Documentation of the scope of the search conducted for each request;\n    \xe2\x80\xa2\t   Listing of materials provided to the requester; and\n    \xe2\x80\xa2\t   Issuance of a formal written response indicating that the search for\n         related documents and information has concluded.\n\nTSA Response: TSA concurs with our recommendation to adopt procedures\nfor responding to external and intra-departmental requests for information. For\nprivacy-related information requests originating from the DHS Privacy Of\xef\xac\x81ce, the\nTSA privacy of\xef\xac\x81cer is the now the principal point of contact. The TSA privacy\nof\xef\xac\x81cer is now responsible for coordinating and tracking responses to information\nrequests from the DHS Privacy Of\xef\xac\x81ce.\n\nOIG Evaluation: TSA\xe2\x80\x99s designation of its privacy of\xef\xac\x81cer as the principal point\nof contact for requests from the DHS Privacy Of\xef\xac\x81ce is partially responsive to\nthis recommendation. The scope of our recommendation extends beyond TSA\xe2\x80\x99s\ninteraction with the DHS Privacy Of\xef\xac\x81ce. Our recommendation is intended to\nensure that TSA has a system in place to respond to requests for information and\nmaterials not covered under current guidelines or procedures. Before closing\nthis recommendation, we must con\xef\xac\x81rm that TSA\xe2\x80\x99s procedures for responding to\nrequests from organizations other than the DHS Privacy Of\xef\xac\x81ce includes all of\nthe elements described in the recommendation. Recommendation 6 is resolved\n\xe2\x80\x93 open.\n\n\n\n\n   TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data\t      Page 61\n\x0cAppendix B\nOIG Evaluation of Management Comments\n\n\n\n                   Recommendation 7: Appoint a TSA external privacy advisory board,\n                   as speci\xef\xac\x81ed in TSA\xe2\x80\x99s \xef\xac\x81ve-point plan, to review all agency privacy impact\n                   assessments, and, to provide consultation regarding the scope and methods of\n                   TSA supported data analysis and research involving individually identi\xef\xac\x81able data.\n\n                   TSA Response: TSA acknowledges the importance of effective oversight\n                   and describes planned and existing privacy oversight mechanisms. TSA\xe2\x80\x99s\n                   privacy of\xef\xac\x81cer provides guidance on the gathering and utilization of personally\n                   identi\xef\xac\x81able information, and coordinates and approves PIAs for TSA programs\n                   in collaboration with the CPO. In its efforts surrounding the development and\n                   implementation of the Secure Flight passenger pre-screening system, TSA has\n                   constituted an external working group to evaluate privacy standards and practices,\n                   as well as program security measures. TSA also notes that the DHS Privacy\n                   Of\xef\xac\x81ce is forming a privacy oversight group that will serve as a future oversight\n                   apparatus in this area.\n\n                   OIG Evaluation: Although TSA acknowledges the importance of effective\n                   oversight in its comments, it does not articulate plans for forming a TSA-wide\n                   privacy advisory board with a mission as described in our recommendation.\n                   Nevertheless, the TSA and DHS privacy of\xef\xac\x81cers currently address the intended\n                   PIA review function of such an advisory board. Meanwhile, an external working\n                   group provides consultation that may address the scope and methods behind the\n                   Secure Flight data analysis and research. This working group, however, cannot\n                   be expected to provide consultation on the scope and methods of other data\n                   analysis and research efforts undertaken by the agency. Absent the formation of a\n                   TSA-wide advisory board to address these issues, TSA\xe2\x80\x99s declared commitment to\n                   form external working groups to perform this function on an ad hoc basis would\n                   be considered fully responsive to this recommendation. Recommendation 7 is\n                   resolved \xe2\x80\x93 open.\n\n                   Recommendation 8: Develop procedures that will provide a clear process to:\n                   (1) approve the agency\xe2\x80\x99s role in data sharing that involves individually identi\xef\xac\x81able\n                   information; and, (2) identify a particular employee responsible for monitoring\n                   the data security, usage, and \xef\xac\x81nal disposition of each transfer of individually\n                   identi\xef\xac\x81able information in which TSA becomes involved.\n\n                   TSA Response: TSA concurs with this recommendation. The TSA privacy\n                   of\xef\xac\x81cer, Of\xef\xac\x81ce of Chief Counsel and the DHS Privacy Of\xef\xac\x81ce currently advise\n                   program staff on requirements on sharing personally identi\xef\xac\x81able information.\n                   For the Secure Flight program, TSA has designated the Of\xef\xac\x81ce of Transportation\n\n\n\nPage 62               TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data\n\x0c                                            Appendix B\n                                            OIG Evaluation of Management Comments\n\n\n\nVetting and Credentialing\xe2\x80\x99s Information System Security Of\xef\xac\x81cer as responsible\nfor monitoring compliance with privacy and con\xef\xac\x81dentiality policies and\nprocedures.\n\nOIG Evaluation: TSA\xe2\x80\x99s response does not suggest that a clear process for\napproving agency participation in data transfers is in place. Nor does TSA\xe2\x80\x99s\nresponse identify a procedure for designating employees\xe2\x80\x99 responsible for data\ntransfer monitoring activities. Recommendation 8 is resolved \xe2\x80\x93 open.\n\n\n\n\n   TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data       Page 63\n\x0cAppendix C\nRecommendations\n\n\n\nRecommendations\n                  We recommend that the Assistant Secretary of Homeland Security for\n                  Transportation Security, in coordination with the Chief Privacy Of\xef\xac\x81cer, as\n                  appropriate:\n\n                  Recommendation 1: Develop clear protocols for obtaining airline passenger data\n                  and facilitating its exchange among other parties.\n\n                  Recommendation 2: Ensure privacy and personal data protections are written\n                  into acquisition documents where performance may involve the collection,\n                  maintenance, use, or dissemination of individually identi\xef\xac\x81able data.\n\n                  Recommendation 3: Require \xef\xac\x81nal reporting for acquisitions with intensive\n                  data analysis or processing components that addresses data receipt, processing,\n                  distribution, utilization, and disposition, as well as attention to data security and\n                  privacy.\n\n                  Recommendation 4: Require entities performing work for TSA to report to\n                  the agency on how they are addressing data security, privacy protections and\n                  con\xef\xac\x81dentiality.\n\n                  Recommendation 5: Re-evaluate TSA\xe2\x80\x99s response to FOIA requesters who\n                  solicited information in September 2003 regarding their airline passenger data.\n                  Such a reevaluation should, at minimum, involve the removal or amendment of\n                  the letter posted on TSA\xe2\x80\x99s FOIA reading room web site to re\xef\xac\x82ect the fact that TSA\n                  is in possession of JetBlue passenger data.\n\n                  Recommendation 6: Adopt procedures for responding to external and intra-\n                  departmental requests for information that help guarantee a comprehensive,\n                  timely, and reliable response. At minimum, these procedures should include the:\n\n                      \xe2\x80\xa2\t   Designation of a primary point of contact and responsible staff person;\n                      \xe2\x80\xa2\t   Documentation of the scope of the search conducted for each request;\n                      \xe2\x80\xa2\t   Listing of materials provided to the requester; and\n                      \xe2\x80\xa2\t   Issuance of a formal written response indicating that the search for\n                           related documents and information has concluded.\n\n                  Recommendation 7: Appoint a TSA external privacy advisory board,\n                  as speci\xef\xac\x81ed in TSA\xe2\x80\x99s \xef\xac\x81ve-point plan, to review all agency privacy impact\n\n\nPage 64\t             TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data\n\x0c                                                                       Appendix C\n                                                                       Recommendations\n\n\n\nassessments, and, to provide consultation regarding the scope and methods of\nTSA supported data analysis and research involving individually identi\xef\xac\x81able data.\n\nRecommendation 8: Develop procedures that will provide a clear process to:\n(1) approve the agency\xe2\x80\x99s role in data sharing that involves individually identi\xef\xac\x81able\ninformation; and, (2) identify a particular employee responsible for monitoring\nthe data security, usage, and \xef\xac\x81nal disposition of each transfer of individually\nidenti\xef\xac\x81able information in which TSA becomes involved.\n\n\n\n\n   TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data            Page 65\n\x0cAppendix D\nAirline Passenger Data Transfers Covered in this Report\n\n\n\n                         Airline Passenger Data Transfers in this Report\n                  Assistance to Other Agencies\n                  \xe2\x97\x8f TSA facilitated the transfer of Delta Air Lines passenger data to the\n                      U.S. Secret Service in February 2002.\n                  \xe2\x97\x8f   TSA requested JetBlue Airways transfer passenger data to U.S. Army\n                      subcontractor Torch Concepts. Data was provided in September 2002.\n                  CAPPS II Development Efforts\n                  \xe2\x97\x8f While developing a prototype for CAPPS II, Ascent Technology\n                      accessed Delta Air Lines passenger data in June 2002.\n                  \xe2\x97\x8f   While developing a prototype for CAPPS II, HNC Software accessed\n                      records for Continental, Frontier, and America West Airlines\n                      passengers in mid-2002.\n                  \xe2\x97\x8f   While developing a prototype for CAPPS II, HNC Software accessed\n                      records for JetBlue Airways passengers in mid-2002.\n                  \xe2\x97\x8f   While developing a prototype for CAPPS II, HNC Software accessed\n                      passenger records from various airlines through HNC E-Tickets in\n                      mid-2002.\n                  \xe2\x97\x8f   In association with CAPPS II development efforts, Airline Automation,\n                      Inc. provided TSA and four CAPPS II vendors with American Airlines\n                      passenger records in May and June 2002. Each of these transfers is\n                      treated as a separate case. The four CAPPS II vendors were:\n                      \xe2\x97\x8b Ascent Technology, Inc.\n                      \xe2\x97\x8b HNC Software, Inc.\n                      \xe2\x97\x8b Infoglide Software Corporation\n                      \xe2\x97\x8b Lockheed Martin Corporation\n                  \xe2\x97\x8f   While developing another CAPPS II component, IBM accessed Delta\n                      Air Lines passenger records in February and March 2003.\n                  \xe2\x97\x8f   To test CAPPS II, TSA requested and received records for passengers\n                      on numerous airlines from Sabre Holdings in May 2003.\n                  CAPPS I Improvement\n                  \xe2\x97\x8f To assess ways to improve the existing CAPPS system, TSA requested\n                      and received JetBlue Airways passenger records in May and June\n                      2003.\n\n\n\n\nPage 66                  TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data\n\x0c                                       Appendix E\n                                       Con\xef\xac\x81dentiality and Disposition of Airline Passenger Data Transferred\n\n\n\n\n          Con\xef\xac\x81dentiality and Disposition of Airline Passenger Data Transferred\n\n       Source                  Data                    Data                  Con\xef\xac\x81dentiality       Final Data\n       Airline               Provider                Recipient                Agreement*          Disposition\n       Delta                   Delta            U.S. Secret Service                 Yes           Destroyed\n      American                 AAI                    Ascent                        Yes           Destroyed\n      American                 AAI                HNC Software                      Yes           Destroyed\n                                                                                                 Held in Secure\n      American                  AAI                   Infoglide                     Yes\n                                                                                                    Setting\n                                                                                                 Held in Secure\n      American                  AAI               Lockheed Martin                   Yes\n                                                                                                    Setting\n                                                                                                 Not Accessed;\n      American                  AAI               TSA - CAPPS II                     No\n                                                                                                 Not Retained\n       Delta                   Delta                   Ascent                       Yes            Unknown\nContinental, Frontier,\n                             SHARES                HNC Software                  Unknown            Unknown\n   America West\n      JetBlue               Acxiom                 HNC Software                  Unknown            Unknown\n      Various             HNC E-Tickets            HNC Software                  Unknown            Unknown\n                                                                                                   Some Data\n                                                                                                 Compromised;\n       JetBlue                Acxiom               Torch Concepts                   Yes\n                                                                                                Other Data Held in\n                                                                                                  Secure Setting\n        Delta                  Delta                     IBM                        Yes             Destroyed\n                                                                                                  Not Accessed;\n       Various                 Sabre                TSA - ONRA                       No\n                                                                                                    Returned\n                                                                                                 Held in Secure\n       JetBlue                JetBlue              TSA - AVOPS                       No\n                                                                                                     Setting\n\n* An agreement between the data provider and data recipient that sets out the intended uses of the data, restricts\nthe sharing of the data, and binds the data recipient to maintain data con\xef\xac\x81dentiality. Contracts, memoranda of\nunderstanding, con\xef\xac\x81dentiality agreements, and non-disclosure agreements are examples of types of agreements\nthat may meet this standard.\n\n\n\n\n                            TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data               Page 67\n\x0cPage 68\n                                                                                                                                                                                              Appendix F\n\n\n\n\n                                                                                  Summary Detail of Airline Passenger Data Transfers with TSA Involvement\n\n                                                                         Date(s) of                   Data Transfer Parties                              Data Description\n                                                                         Transfer              Airline        Provider       Recipient      Records      Individuals      Travel Dates\n                                                                                                                             U.S. Secret\n                                                                       February 2002             Delta          Delta                       Unknown       Unknown       02/01/01-02/26/02\n                                                                                                                                                                                              Airline Passenger Data Transfer Detail\n\n\n\n\n                                                                                                                              Service\n\n                                                                     05/24/02, 06/17/02,                                                                                12/08/01-12/15/01,\n                                                                                               American          AAI           Ascent      ~1,841,640*    Unknown\n                                                                     06/27/02-06/29/02                                                                                 06/22/02-06/29/02, \xe2\x80\xa6\n\n                                                                     05/24/02, 06/17/02,                                       HNC                                      12/08/01-12/15/01,\n                                                                                               American          AAI                       ~1,841,640     Unknown\n                                                                     06/27/02-06/29/02                                        Software                                 06/22/02-06/29/02, \xe2\x80\xa6\n\n                                                                     05/24/02, 06/17/02,                                                                                12/08/01-12/15/01,\n                                                                                               American          AAI          Infoglide    ~1,841,640     Unknown\n                                                                     06/27/02-06/29/02                                                                                 06/22/02-06/29/02, \xe2\x80\xa6\n\n                                                                     05/24/02, 06/17/02,                                     Lockheed                                   12/08/01-12/15/01,\n                                                                                               American          AAI                       ~1,841,640     Unknown\n                                                                     06/27/02-06/29/02                                        Martin                                   06/22/02-06/29/02, \xe2\x80\xa6\n\n\n\n\n TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data\n                                                                         06/17/02,                                            TSA -\n                                                                                               American          AAI                       ~1,841,640     Unknown      06/22/02-06/29/02, \xe2\x80\xa6\n                                                                     06/27/02-06/29/02                                       CAPPS II\n\n                                                                      Early June 2002            Delta          Delta          Ascent         N/A         Unknown           Unknown\n\n                                                                     * \xe2\x80\x9c~\xe2\x80\x9d denotes approximate \xef\xac\x81gure based on available information.\n\x0c                                                                                  Summary Detail of Airline Passenger Data Transfers with TSA Involvement\n\n                                                                          Date(s) of               Data Transfer Parties\n                       Data Description\n                                                                          Transfer           Airline      Provider    Recipient    Records      Individuals     Travel Dates\n\n                                                                          Mid 2002          Continental                            787,081       Unknown      06/20/02- 07/03/02\n\n                                                                                                                       HNC\n                                                                          Mid 2002           Frontier     SHARES                    70,523       Unknown      06/20/02- 07/03/02\n                                                                                                                      Software\n                                                                                             America\n                                                                          Mid 2002                                                 589,515       Unknown      06/20/02- 07/03/02\n                                                                                              West\n                                                                                                                       HNC\n                                                                          Mid 2002           JetBlue       Acxiom                  2,725,352     Unknown      01/13/02- 09/05/02\n                                                                                                                      Software\n                                                                                                            HNC        HNC\n                                                                          Mid 2002           Various                               400,000       Unknown      06/20/02- 06/25/02\n                                                                                                          E-Tickets   Software\n\n                                                                          Mid 2002          Unknown       WorldSpan   Infoglide   ~13,000,000    Unknown          Unknown\n\n                                                                                                                       Torch\n                                                                       September 2002        JetBlue       Acxiom                 ~5,000,000     2,226,715        Unknown\n                                                                                                                      Concepts\n\n                                                                          02/27/2003          Delta         Delta       IBM       ~1,000,000     Unknown          Unknown\n                                                                                                                                                                                    Appendix F\n\n\n\n\n                                                                                                                       TSA -\n\n\n\n\n  TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data\n                                                                          May 2003           Various       SABRE                  ~1,500,000     Unknown          Unknown\n                                                                                                                       ONRA\n                                                                                                                                                              07/29/02, 01/21/03,\n                                                                           05/14/03,                                    TSA -                                 01/23/03, 03/11/03,\n                                                                                             JetBlue       JetBlue                   3,909       Unknown\n                                                                      05/23//03, 06/04/03                              AVOPS                                  05/18/03, 05/20/03,\n                                                                                                                                                                   06/01/03\n                                                                                                                                                                                    Airline Passenger Data Transfer Detail\n\n\n\n\nPage 69\n\x0cAppendix G\nPrivacy Act of 1974 and E-Government Act of 2002\n\n\n\nPrivacy Act of 1974\n                          The provisions of the Privacy Act are invoked when a system that meets the legal\n                          standard for a \xe2\x80\x9csystem of records\xe2\x80\x9d is created or maintained. Such a system must\n                          be under the control of a federal agency and contain individually identi\xef\xac\x81able\n                          information. In addition, a Privacy Act system of records must have records\n                          that are retrieved or accessed by a governmental entity or its proxy using an\n                          individually identifying particular, e.g., name, social security number, etc.\n                          Furthermore, according to TSA, the system must have a decision-making aspect\n                          that supports an agency function and has a bearing on individuals.69 Systems of\n                          record covered by the Privacy Act include personnel \xef\xac\x81les maintained in a \xef\xac\x81le\n                          drawer as much as databases operating on computer networks.\n\n                          Under the Privacy Act, notices for all systems of record are to be published in the\n                          Federal Register. Published systems of record notices document the authorities\n                          under which the government agency maintains the system of records, the purpose\n                          the system serves, the types of records contained in the system, and their routine\n                          uses. With limited exceptions, records covered by the Privacy Act may only be\n                          released in line with the \xe2\x80\x9croutine uses\xe2\x80\x9d of the system re\xef\xac\x82ected in the system notice\n                          or with the consent of the individual to whom the record pertains.\n\n                          Consistent with the Privacy Act, DOT published an initial system of records\n                          notice for CAPPS II on January 15, 2003.70 After reviewing the substantial\n                          volume of public comments on the initial CAPPS II notice, TSA issued a revised\n                          Interim Final Notice for CAPPS II. 71 Published on August 1, 2003, the interim\n                          notice provided substantially more detail on CAPPS II design and proposed\n                          function.\n\n                          Importantly, the Privacy Act also grants individuals certain rights over records\n                          pertaining to them. Provided such records are not maintained in an exempted\n                          system, individuals have the right to access, amend, and contest the accuracy of\n                          records about them.\n\n\n\n\n69\n   Department of Homeland Security, Transportation Security Administration, Of\xef\xac\x81ce of Chief Counsel, Report on Passenger \n\nName Record Data Exchanges Involving Projects to Improve Passenger Screening, August 18, 2004, \n\npp. 50-52.\n\n70\n   68 Fed. Reg. 2101 (Jan. 15, 2003).\n\n71\n   68 Fed. Reg. 45265 (Aug. 1, 2003).\n\n\n\nPage 70                      TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data\n\x0c                                                 Appendix G\n                                                 Privacy Act of 1974 and E-Government Act of 2002\n\n\n\n              The Privacy Act also affords protections against improper access to and disclosure\n              of information contained in a system of records. Criminal penalties may be\n              applied under the statute in cases where the following has occurred:\n\n                  \xe2\x80\xa2 \t Information barred from disclosure has been disclosed;\n                  \xe2\x80\xa2 \t Systems of record have been willfully maintained without adherence to\n                      noti\xef\xac\x81cation requirements; and\n                  \xe2\x80\xa2 \t Records have been requested or obtained under false pretenses.\n\n\n\nE-Government Act of 2002\n              Provisions of the E-Government Act, effective on April 17, 2003, mandated that\n              all agencies conduct PIAs for new information technology investments and new\n              electronic information systems and collections. The PIA development process\n              was designed to ensure that data handling is compliant with relevant laws,\n              that agencies consider the risks and effects of their data systems, and that they\n              examine system design alternatives that could mitigate privacy risks. Ultimately,\n              PIAs result in published documents that address the following:\n\n                  \xe2\x80\xa2\t  What information is to be collected\n                  \xe2\x80\xa2\t  Why the information is being collected\n                  \xe2\x80\xa2\t  What are the intended uses of the information\n                  \xe2\x80\xa2\t  With whom the information will be shared\n                  \xe2\x80\xa2\t  What opportunities individuals have to decline to provide information\n                      or consent to particular uses of the information and how individuals can\n                      grant consent\n                  \xe2\x80\xa2 \t How the information will be secured\n                  \xe2\x80\xa2 \t Whether a system of records is being created under the Privacy Act.\n\n              The E-Government Act designated the Of\xef\xac\x81ce of Management and Budget (OMB)\n              as the entity responsible for detailing certain E-Government Act implementation\n              requirements. OMB issued guidelines on when federal agencies are required to\n              conduct PIAs. Speci\xef\xac\x81cally, OMB guidance requires the conduct of PIAs before:\n\n                  \xe2\x80\xa2 \t Developing or procuring [information technology] systems or projects\n                      that collect, maintain or disseminate information in identi\xef\xac\x81able form\n                      from or about members of the public; or\n                  \xe2\x80\xa2 \t Initiating a new electronic collection of information in identi\xef\xac\x81able\n                      form for 10 or more persons, excluding agencies, instrumentalities or\n\n\n                 TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data\t       Page 71\n\x0cAppendix G\nPrivacy Act of 1974 and E-Government Act of 2002\n\n\n\n                                      employees of the federal government; and, OMB also mandates the\n                                      conduct of a PIA when changes to existing systems create new privacy\n                                      risks.72\n\n\n\n\n72\n     OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002, M-03-22 (Sept. 26, 2003).\n\n\n\nPage 72                        TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data\n\x0c                                                 Appendix H\n                                                 JetBlue Passenger Data Provided to TSA\n\n\n\n  Date        Flight #         Origin         Destination Passengers\n\n7/29/2002         47            JFK                FLL\n1/21/2003         41            JFK                MCO\n1/23/2003         15            JFK                FLL\n1/23/2003         20            TPA                JFK\n1/23/2003         96            OAK                JFK\n1/23/2003        191            JFK                LAS\n3/11/2003         17            JFK                FLL\n3/11/2003         20            JFK                ROC\n3/11/2003         34            PBI                JFK\n3/11/2003         35            JFK                PBI\n3/11/2003         42            MCO                JFK\n3/11/2003         43            ROC                JFK\n3/11/2003         49            JFK                FLL\n3/11/2003         52            MCO                JFK\n3/11/2003         59            JFK                MCO\n3/11/2003         64            RSW                JFK\n3/11/2003         82            LGB                JFK\n3/11/2003         90            OAK                JFK\n3/11/2003        101            IAD                FLL\n3/11/2003        107            LGB                IAD\n3/11/2003        221            JFK                LGB\n3/11/2003        222            LGB                JFK\n3/11/2003        247            OAK                LGB\n3/11/2003        281            LAS                LGB\n3/11/2003        345            JFK                RSW\n5/18/2003         47            JFK                FLL\n5/20/2003         79            JFK                MCO\n 6/1/2003          1            JFK                FLL\n 6/1/????        25             JFK                FLL\n 6/1/????        81             JFK                FLL\n\n                                                 TOTAL                 3,925\n\n\n\n\n   TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data            Page 73\n\x0cAppendix I\nDHS Privacy Of\xef\xac\x81ce Requests of TSA\n\n\n\n                   We reviewed documentation and conducted interviews regarding eight requests\n                   for information and summarized each of these requests and TSA\xe2\x80\x99s responses.\n\n                       1. \t The CPO sent an e-mail on September 18, 2003, to a TSA public affairs\n                            of\xef\xac\x81cer requesting any documentation regarding the transfer of data by\n                            JetBlue to TSA or DOT. It does not appear from documents that we\n                            reviewed that this request was ever answered directly. On November\n                            12, 2003, the TSA chief of staff e-mailed the CPO acknowledging TSA\xe2\x80\x99s\n                            non-responsiveness and stating that the public affairs of\xef\xac\x81cer had no\n                            information in response to the request.\n\n                       2. \t On October 24, 2003, the CPO e-mailed the ONRA deputy director\n                            asking for \xe2\x80\x9ca thorough accounting of any contact with Torch Concepts,\n                            JetBlue, DOD or others, while at ONRA, DOT, or elsewhere, as it\n                            relates to the JetBlue incident.\xe2\x80\x9d The same day, ONRA\xe2\x80\x99s deputy director\n                            responded via e-mail suggesting a meeting for November 11, 2003, and\n                            the CPO agreed.\n\n                       3. \t The CPO sent an e-mail to TSA\xe2\x80\x99s Assistant Administrator for Policy on\n                            October 24, 2003, requesting that they discuss the JetBlue PNR transfer\n                            to Torch Concepts. We did not locate a direct response to the CPO\xe2\x80\x99s\n                            e-mail in documents we reviewed; however, the Of\xef\xac\x81ce of the Assistant\n                            Administrator for Policy assisted with the document collection effort\n                            discussed in the next paragraph. In our May 4, 2004, interview with the\n                            CPO, she did not suggest the Assistant Administrator was not responsive\n                            to her requests.\n\n                       4. \t On November 12, 2003, the CPO sent a request to the TSA\n                            Administrator, Deputy Administrator, and Chief of Staff asking for help\n                            to ensure a thorough internal review was made of any documents or\n                            personnel regarding the JetBlue PNR transfer. The CPO requested a\n                            response by November 21, 2003. On November 25, 2003, TSA provided\n                            a response to the CPO. Both the CPO and TSA employees said that the\n                            response consisted of hundreds of pages of materials. In a February 16,\n                            2004, e-mail, the TSA employee who coordinated the response to this\n                            request said that he worked with the Policy Of\xef\xac\x81ce, the FOIA of\xef\xac\x81ce, and\n                            the CIO\xe2\x80\x99s of\xef\xac\x81ce to collect materials for the CPO.\n\n                       5. \t On January 20, 2004, the CPO sent an e-mail to TSA\xe2\x80\x99s FOIA of\xef\xac\x81cer\n                            asking for TSA documents from a 2002 FOIA request about Northwest\n\n\n\nPage 74\t              TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data\n\x0c                                                                            Appendix I\n                                                                            DHS Privacy Of\xef\xac\x81ce Requests of TSA\n\n\n\n                                  Airlines. There was one document responsive to this request and on\n                                  January 20, 2004, the FOIA of\xef\xac\x81cer offered to either fax or hand-deliver it\n                                  to the CPO.\n\n                              6. \t On February 13, 2004, the CPO sent a request to TSA\xe2\x80\x99s FOIA of\xef\xac\x81cer\n                                   asking for all documents gathered for FOIA requests related to JetBlue.73\n                                   In the documents we reviewed relating to this request, we found no direct\n                                   response.\n\n                              7. \t On February 16, 2004, the CPO sent a follow-up request to TSA\xe2\x80\x99s FOIA\n                                   of\xef\xac\x81cer asking for all documents gathered for FOIA requests. The CPO\n                                   told us that the FOIA of\xef\xac\x81ce provided documents in February 2004 and\n                                   that the FOIA of\xef\xac\x81ce was very responsive to requests for information.\n\n                              8. \t On January 29, 2004, the former CAPPS II program manager sent a letter\n                                   to the Army OIG and copied TSA\xe2\x80\x99s OCC. The letter addressed several of\n                                   the Army OIG\xe2\x80\x99s questions pertaining to their investigation of the transfer\n                                   of JetBlue PNR data to Torch Concepts. On February 16, 2004, the CPO\n                                   requested OCC provide the letter and on February 17, 2004, TSA\xe2\x80\x99s chief\n                                   counsel faxed it to the CPO.\n\n\n\n\n73\n  The Electronic Privacy Information Center, the ACLU, and Wired News made FOIA requests in September and October\n2003. The FOIA requests generally asked for materials related to JetBlue, DOD subcontractor Torch Concepts, Acxiom\nCorporation, and DOD contractor SRS Technologies. The FOIA documents were later turned over to the DHS Privacy\nOf\xef\xac\x81ce.\n\n                            TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data\t               Page 75\n\x0cAppendix J\nMajor Contributors to This Report\n\n\n\n                     Carlton Mann, Chief Inspector, Department of Homeland Security,\n                     Of\xef\xac\x81ce of Inspections, Evaluations, and Special Reviews\n\n                     Kenneth McKune, Senior Inspector, Department of Homeland Security, Of\xef\xac\x81ce of\n                     Inspections, Evaluations, and Special Reviews\n\n                     Frank Parrott, Senior Inspector, Department of Homeland Security,\n                     Of\xef\xac\x81ce of Inspections, Evaluations, and Special Reviews\n\n                     Justin H. Brown, Inspector, Department of Homeland Security,\n                     Of\xef\xac\x81ce of Inspections, Evaluations, and Special Reviews\n\n                     Patrick Harenburg, Inspector, Department of Homeland Security,\n                     Of\xef\xac\x81ce of Inspections, Evaluations, and Special Reviews\n\n\n\n\nPage 76                 TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data\n\x0c                                                                       Appendix K\n                                                                       Report Distribution\n\n\n\nDepartment of Homeland Security\n\nSecretary\nDeputy Secretary\nUnder Secretary for Border and Transportation Security\nUnder Secretary for Management\nDirector, United States Secret Service\nGeneral Counsel\nAssistant Secretary for Public Affairs\nChief of Staff\nChief Privacy Of\xef\xac\x81cer\nDeputy Chief Security Of\xef\xac\x81cer\nManagement OIG Liaison\n\n\nTransportation Security Administration\n\nAssistant Secretary of Homeland Security for Transportation Security\nOIG Liaison\n\n\nOf\xef\xac\x81ce of Management and Budget\n\nChief, Homeland Security Branch\nDHS OIG Program Examiner\n\n\nCongress\n\nCommittee on Homeland Security and Governmental Affairs\nUnited States Senate\n\nCommittee on the Judiciary\nUnited States Senate\n\nCongressional Oversight and Appropriations Committees, as appropriate\n\n\n\n\n   TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data               Page 77\n\x0cPage 78   TSA\xe2\x80\x99s Role in the Use and Dissemination of Airline Passenger Data\n\x0c\x0cAdditional Information and Copies\n\nTo obtain additional copies of this report, call the Of\xef\xac\x81ce of Inspector General (OIG)\nat (202) 254-4100, fax your request to (202) 254-4285, or visit the OIG web site at\nwww.dhs.gov/oig.\n\nOIG Hotline\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal\nor noncriminal misconduct relative to department programs or operations, call the\nOIG Hotline at 1-800-323-8603; write to DHS Of\xef\xac\x81ce of Inspector General/MAIL STOP\n2600, Attention: Of\xef\xac\x81ce of Investigations - Hotline, 245 Murray Drive, SW, Building\n410, Washington, DC 20528, or email DHSOIGHOTLINE@dhs.gov. The OIG seeks to\nprotect the identity of each writer and caller.\n\x0c'